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You’ve  Been 
Backscattered! 


*  . 


•  (  ‘ 


INFRASTRUCTURE  LOG 

_DAY  94:  We  don’t  have  the  insights  to  maintain  our  IT  service- 
level  agreements!  We  can’t  deliver  against  our  objectives!  How 
are  we  supposed  to  do  our  jobs  in  the  dark? 

_Gil  rented  a  giant  searchlight  to  give  us  a  little  “visibility.” 
He’s  also  temporarily  blinded  all  the  administrators. 

_DAY  96:  I  found  a  better  way.  Hardware,  software  and  services 
from  IBM  Service  Management  give  us  the  integrated  visibility, 
control  and  automation  we  need — like  dashboards  that  give  us 
insights  to  manage  against  business  objectives.  We  can  improve 
governance  and  minimize  risks.  And  we  can  keep  tabs  on  the 
status  and  health  of  our  services  at  each  stage  of  their 
lifecycle  while  tracking  our  SLAs  in  real  time. 

_Now  if  we  could  just  get  our  vision  plan  to  cover  “rampant  idiocy.’ 


Take  the  IT  Service  Management  assessment  at: 

IBM.COM/TAKEBACKCONTROL/VISIBLE 
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Not  Sure?  Let  Reconnex  Help. 

Reconnex  is  positioned  in  the  Leaders  Quadrant  of  Gartner,  Inc’s 
Data  Loss  Prevention  Magic  Quadrant1.  Customers  appreciate 
our  unique  ability  to  help  them  understand  their  sensitive  data. 
Over  one  million  users  trust  us  to  protect  their  information  today. 


H!  Reconnex 


DATA  LOSS  PREVENTION  APPLIANCES 


WHY  RECONNEX? 

SIMPLE.  Automatic  Rule  Creation 
FAST.  Turnkey  Appliance  Solution 
COMPLETE.  Full  Functionality.  No  Compromises. 


TAKE  THE  FIRST  STEP. 

Get  a  complimentary*  Risk  Assessment  from  Reconnex. 
Find  out  more  at  www.reconnex.net/LEADER 

•QUALIFICATIONS  APPLY. 
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is  not  meant  to  be  a  specific  guide  to  acbon  Gartner  disclaims  all  warranties,  express  or  implied,  with  respect  to  this  research.  Including  any  warranties  ol  merchantability  or  Ittness  tor  a  particular  purpose. 


[  FROM  THE  EDITOR] 


Three  and  Out? 

The  “State  of  the  CSO  2008” 
survey  results  raise  hope  that 
the  position  has  more  staying 
power  than  it  had  in  the  past 

I’ve  had  this  cynical  idea  floating  in  the 
back  of  my  brain  for  a  while:  The  optimum 
tenure  of  a  CSO  might  only  be  three  years. 
The  reasoning,  based  on  a  lot  of  discus¬ 
sions  with  CSOs,  looks  something  like  this: 

Year  one,  you’ve  probably  been  invited  to 
clean  up  someone’s  mess.  Year  two,  your  new 
policies  are  getting  traction,  your  budget  is 
approved,  your  new  systems  are  getting  imple¬ 
mented.  Year  three,  your  benchmarks  are 
showing  the  results  of  your  labors.  Awareness 
is  up.  Incidents  are  down. 

But  something  else  is  happening  in  year 
three.  Namely,  some  other  leadership  posi¬ 
tions  in  the  company  have  changed  and  new 
management  doesn’t  agree  with  your  priori¬ 
ties.  Meanwhile,  the  people  who’ve  stayed  are 
getting  tired  of  your  voice  and  some  (or  all)  of 
the  controls  you’ve  put  in  place.  The  mess  you 
cleaned  up  has  been  more  or  less  forgotten. 

At  that  point,  you  might  choose  to  throw 
up  your  hands  and  “become  a  consultant"  for 
a  while,  as  so  many  security  leaders  do.  The 
consulting  lifestyle  (in  the  instances  where 
it  isn’t  a  euphemism  for  “looking  for  another 
full-time  job”)  definitely  has  its  downsides,  but 
at  minimum  it  ensures  that  the  folks  you’re 
talking  to  are  mostly  not  tired  of  your  voice. 

As  I  said,  it’s  a  cynical  thought.  Happily, 
when  I  look  at  the  results  of  our  “State  of 
the  CSO  2008"  survey,  I  see  reason  for  hope. 
Respondents  say  the  importance  of  risk  man¬ 
agement  continues  to  rise  in  the  corporate 
world  (even  if  regulations  remain  a  primary 
driver).  Senior  managers  (though  not  the  aver¬ 
age  employee  so  much)  demonstrate  more 
and  more  of  a  grasp  on  their  own  security- 
related  responsibilities.  Security  job  tenures 
are  even  up. 


Why  is  that?  I  think  it’s  because  you’re 
doing  a  better  and  better  job  of  speaking  in 
the  language  that  resonates  with  your  fellow 
businesspeople.  We’ve  been  conducting  this 
research  since  2003,  and  the  percentage  of 
survey  respondents  who  have  MBAs  continues 
to  rise  slowly  but  steadily.  That’s  just  one  data 
point,  and  the  MBA  isn’t  a  cure-all  for  security. 
Nevertheless,  I  think  it’s  a  telling  sign. 

So  now  what?  I  think  the  business  savvy 
that  CSOs  are  showing  has  to  be  pushed 
aggressively  to  the  rest  of  the  security  staff. 
Stronger  security  personnel  yields  stron¬ 
ger  security.  To  that  end,  we’ve  focused  the 
articles  in  this  issue  on  personal  development 
areas  that  you  can  use  to  refresh  your  own 
memory  and  disseminate  to  your  staff. 


The  more  business-minded  security 
becomes,  the  less  I  think  we’ll  see  of  the  three- 
and-out  phenomenon. 

-Derek  Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editor  Bill  Brenner 
Asst.  Managing  Editor  Diann  Daniel 
Staff  Writer  Katherine  Walsh 
Copy  Editor  Susan  Bryant-Still 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D'Auria 
Editorial  Administrator 
Jill  Paquette 
Contributors 

Jeff  Bardin,  Scott  Berinato, 

Mary  Brandel,  William  Brandel, 

Rick  Cook.  Michael  Fitzgerald, 
Robert  McMillan,  Lauren  Gibbons  Paul 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 

Seanna  Maguire 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

CXO 'MEDIA  INC 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


#BPA 


WORLDWIDE- 


4  www.csoonline.com  June  2008 


Photo  by  Webb  Chappell 


"tir^e're,  in  serous  trouble,  wf nentsiS 
Juniper  is  fetere//  cuflinj  info  MPpfifitsby' 
faurM  all  the  merits  anspb/e  whirls, " 


wmmmm 


wmmmmmaamm 


»  Troubled  by  evolving  network  threats?  As  you  open  up  the  network  to  more  users  and  deploy 
newer  apps  and  business  initiatives,  your  security  should  keep  pace.  Only  Juniper  Networks 
gives  you  unprecedented  protection  from  attacks  while  providing  visibility  across  the  network. 
So  defend  against  application-layer  threats  and  minimize  downtime.  Deliver  valuable  assets  to 
a  wider  base  of  users.  Adhere  to  regulatory  compliance  requirements. 
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Juniper’s  broad  security  portfolio  lets  you  leverage  the  network  in  new  ways,  to  achieve  greater 
business  goals.  The  switch  is  on  to  comprehensive  network  security:  www.juniper.net/secure 
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[  FROM  THE  PUBLISHER  ] 


Regulation 
S-P:  A-OK 

You  have  to  admire  the  position  that  the 
U.S.  Securities  and  Exchange  Commis¬ 
sion  (SEC)  holds.  When  they  speak,  busi¬ 
ness  listens.  Now  the  SEC  has  proposed 
amendments  to  Regulation  S-P  (incorporating 
requirements  from  the  Gramm-Leach-Bliley 
Act,  the  Fair  Credit  Reporting  Act,  and  the  Fair 
and  Accurate  Credit  Transactions  Act)  that  will 
direct  SEC-governed  financial  institutions  to 
take  a  significant  number  of  additional  steps 
to  secure  the  privacy  of  customer  data.  In  the 
wake  of  numerous  breaches  over  the  years, 
these  amendments  by  the  SEC  are  a  welcome 
move. 

The  proposed  amendments  cover  four  key 
areas: 

Information  protection.  Affected  busi¬ 
nesses  must  develop  and  execute  detailed, 
written  programs  that  name  an  individual  to 
be  in  charge  of  information  security:  a  CISO 
or  CSO.  They  must  also  identify  anticipated 
threats  and  implement  controls  to  address 
identified  threats.  (This  will  force  the  use  of 
policies  and  technologies  to  better  safeguard 
data  today  and  into  the  future,  as  opposed 
to  focusing  on  the  way  data  breaches  have 
occurred  in  the  past.)  Security  controls  must 
be  tested  and  monitored,  the  findings  must  be 
documented  in  writing  and  the  program  must 
then  be  modified  based  on  those  tests  and 
any  “relevant  technology  enhancements"  that 
could  impact  the  effectiveness  of  the  program. 

Expanded  scope  of  protected  informa¬ 
tion.  Regulation  S-P  standardizes  the  types  of 
information  that  must  be  protected  to  apply 
to  both  personal  information  and  consumer- 
report  information.  It  also  moves  to  protect 
employee  data  at  these  businesses,  specifi¬ 
cally  user  names  and  passwords,  in  an  effort  to 
better  protect  data  security. 

Expansion  of  the  Disposal  Rule.  While 
many  data  breaches  result  from  careless  dis¬ 


posal  of  personal  information  (lost  data  tapes, 
printed  files  not  being  shredded,  etc.),  many 
organizations  are  overly  focused  on  address¬ 
ing  technology  vulnerabilities.  The  Disposal 
Rule  will  now  be  expanded  to  include  not  just 
the  financial  institution’s  employees,  but  also 
any  other  persons  who  handle  that  data  during 
its  disposal,  including  contractors  and  agents. 

Data  breach  notification.  Businesses 
must  establish  a  written  breach  notification 
policy  that  outlines  how  they  will  respond  to  a 
data  breach.  It  also  requires  notification  of  the 
breach  to  be  provided  to  the  SEC. 

It’s  important  to  note  that  Regulation  S-P 
only  applies  to  institutions  under  the  control  of 
the  SEC  (investment  advisers,  SEC-registered 
transfer  agents,  mutual  funds  and  brokers/ 
dealers).  But  aren’t  these  the  types  of  require¬ 


ments  that  all  businesses  should  adopt  as  best 
practices  in  protecting  customer  records  and 
information?  These  changes  will  clearly  be 
a  big  driver  in  elevating  the  CSO  role  within 
financial  organizations.  My  hope  and  my  predi¬ 
cation  is  that  this  will  generate  a  ripple  effect 
into  other  industries  as  well. 

-Bob  Bragdon,  bbragdon@cxo.com 
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before  all  hell  breaks  loose 


Why  in  blazes  spend  months  installing  security  and  systems  management  in 

your  organization?  And  then  take  days  or  even  weeks  to  protect 
5^-  less  than  60%  of  your  systems?  The  forces  of  darkness 
I  attack  in  nanoseconds,  not  days. 
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§  takes  to  inoculate  and  verify  that  every  computer  is 
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(  somebody  into  a  fiery  pit. 

BIGFIX  defensive  weaponry  routinely  protects 
if/-  hundreds  of  thousands  of  computers  in  real  time,  not 

%  weeks.  Give  us  3  hours  to  demonstrate  our  uncanny 

)  abilities  and  power.  We’ll  train  your  people,  install  our 

Xs  endpoint  superhero  behind  your  firewall,  and  then  treat 

-  everyone  to  lunch.  When  we  get  back,  we’re  betting  you 
"  /  '  '  (jjf  \  won’t  let  us  uninstall. 

-  Schedule  a  demo  by  calling  51 0-652-6700  x  1 1 6 

X.  v  \  oratwww.bigfix.com/beforeallhellbreaksloose. 
f  \SW  We’re  really  hot,  which  is  why  the  leading 
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What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonhne.com. 


BLOG  POST 

Confessions 
of  a  Security 
Optimist 

Joe  Basiricoused  to  be  a 
cynic  about  user  education. 

What  happened? 

I  first  noticed  my  new  malady  at 
Secure  World  Boston.  I  participated 
in  a  panel  discussion  on  data  pro¬ 
tection.  As  my  fellow  panelists  and 
I  attempted  to  address  the  questions 
from  the  audience,  I  found  many  strange 
comments  flowing  from  my  mouth.  There  I 
was,  cantankerous  security  engineer,  extol¬ 
ling  the  virtues  of  user  education. 

Now  in  my  own  defense,  the  argument 


did  make  sense,  but  I  think  the  fact  that  I’m 
currently  agreeing  with  this  other  self  is 
why  it  bothers  me  so  much.  I’d  be  happier  if 
I  could  blame  it  on  something  I  ate  or  per¬ 
haps  dive  into  a  paranoid  rant  about  some¬ 
one  spiking  my  morning  coffee.  Seems  now 
that  neither  of  these  are  the  case. 

So,  you  ask,  what  is  this  stance  I  took 
that  has  me  so  perplexed?  Well  it  is  based  in 
two  well-known  security  adages.  The  first 
being,  “Security  is  a  weakest-link  prob¬ 
lem.”  I  think  we  can  all  get  behind  this  one. 
Attackers  will  attempt  to  expend  the  least 
amount  of  energy  possible  to  exploit  a  sys¬ 
tem.  The  second  tenet  on  which  I  based  this 
argument  is,  “Users  are  often  the  weakest 
link  in  security.”  Put  these  two  together  and 
it  is  easy  to  see  that  some  focus  must  be  on 
the  end  user  when  discussing  security. 

So  how  do  you  secure  people?  Well  most 
people  will  tell  you  that  security  should  be 
transparent  to  users.  I  will  agree  with  that 


in  most  instances,  but  what  about  when  this 
isn’t  possible?  What  about  when  you  have 
to  rely  on  the  users  to  do  the  right  thing? 
Why  shouldn’t  they  write  down  passwords? 
Why  shouldn’t  they  e-mail  credit  card  num¬ 
bers?  The  only  way  to  get  buy-in  from  users 
on  this  is  to  educate  them  on  why  they  need 
to  adhere  [to  security  policies]. 

Too  often,  security  is  perceived  by  the 
end  user  as  an  impediment.  The  cross  they 
must  bear  because  the  angry  techy  in  the 
black  T-shirt  said  so.  What  would  happen 
if  they  were  educated?  What  would  hap¬ 
pen  if  users  felt  empowered  to  contribute 
to  security?  What  if  we  helped  them  see  the 
value  in  good  security  versus  the  proverbial 
“shoving  it  down  their  throats”?  Would  we 
perhaps  see  more  compliance  with  policy? 

I  know  many  will  buck  this  idea  as  too 
insane  to  work.  I  understand  that.  I  found 
myself  completely  at  a  loss  when  I  first 
started  down  this  path  during  that  panel 


What  a  Botnet 
Looks  Like 

This  unique,  annotated,  interac¬ 
tive  map  shows  various  botnet 
architectures  charted  by  security 
researcher  David  Vorel. 

www.csoonline.com 

/article/348317 
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discussion.  However,  I  was  once  told  that 
the  reason  for  software  bugs  was  because 
developers  and  testers  are  lazy.  Many  man¬ 
agers  believed  this  to  be  true  (and  possibly 
still  do).  I  know  from  traveling  around 
the  world  teaching  developers  and  testers 
about  security  that  laziness  is  not  the  only 
the  reason.  Developers  do  care  about  soft¬ 
ware  quality  and  want  to  do  the  right  thing. 
Perhaps  the  same  can  be  said  of  users? 

-Joe  Basirico,  Security  Renegades  blog 

BLOG  POST 

Is  Blogging 
About  Security 
Safe? 

CISO  Dan  Lohrmann 
ponders  the  risks 

s  it  safe  to  blog  about  security  in 
government?  That  may  sound  like  a 
pretty  dumb  question  coming  from  a 
security  blog  that’s  been  around  for 
over  18  months.  And  yet,  I  often  get 
asked  that  question  by  Michigan  technol¬ 
ogy  staff  and  colleagues  around  the  coun¬ 
try.  Now,  Federal  Computer  Week  may  have 
settled  the  question  by  announcing  that 
“Government  enters  the  blogosphere.” 

The  Federal  Computer  Week  article 
describes  the  benefits  of  blogging  and  gives 
examples  from  the  Transportation  Security 
Administration’s  (TSA’s)  support  of  custom¬ 
ers  via  its  blog.  The  article  also  gives  tips  on 
how  to  get  started  blogging  and  some  items 
to  think  about  in  our  Web  2.0  world. 

About  two  years  ago  I  had  an  idea-start 
a  blog  about  cybersecurity  in  government. 
Initially,  I  was  told  “not  now.”  Later  in  2006, 
I  received  permission  from  my  boss  and 
Michigan  CIO  at  the  time,  Teri  Takai. 

I  don’t  regret  getting  into  blogging, 
although  I  do  feel  pressure  to  post  more 
often  than  my  time  permits.  This  became 
somewhat  of  a  problem  last  fall  and  winter 
when  I  was  knee-deep  in  deadlines  regard¬ 
ing  my  upcoming  book,  Virtual  Integrity: 
Faithfully  Navigating  the  Brave  New  Web, 
which  comes  out  in  October.  Work,  home 
and  other  priorities  often  conflict  with  fre¬ 
quent  posting. 

Contrary  to  popular  opinion,  I’d  start 


slower  (blog  less  often),  if  I  did  it  all  over 
again.  You  can  see  how  often  I  used  to  blog 
by  going  back  into  the  archives.  I  try  to  blog 
once  a  week  now. 

Yes,  starting  this  blog  was  a  bit  of  a  risk, 
but  CSO  magazine  has  been  great  to  work 
with,  and  it  opened  up  other  opportunities. 
If  you  are  so  inclined,  I  say  go  for  it.  Here 
are  a  few  things  I’ve  learned  along  the  way: 

1)  Make  sure  you  have  management 
approval. 

2)  Be  professional— tell  true  stories 
with  integrity,  but  don’t  give  out  confiden¬ 
tial  information  or  details  that  could  harm 
your  company  or  your  career. 

3)  When  you  want  to  say  something  con¬ 
troversial,  give  your  opinion,  but  respect 
the  other  side  and  be  fair  (exact  quotes  and 
links  can  help). 

4)  Blog  on  your  own  time.  I’m  not  being 
paid  to  blog  (by  anyone). 

5)  Have  fun.  If  you  don’t  enjoy  it,  find 
something  else  to  do.  Time  is  precious. 

It  looks  like  government  blogging  is 
now  “in.”  So  hesitant  managers  may  now 
be  open  to  new  requests  to  blog.  If  they  said 
no  before,  try  again,  and  use  this  article  or 
the  FCW  articles  to  help  make  the  case. 

-Dan  Lohrmann 

BLOG  POST 

How  to  Write 
a  Statement 
of  Work 

In  drafting  a  consulting  statement  of 
work  (SOW),  keep  the  following  in 
mind: 

■  Detailed  explanation  of  each 
party’s  tasks  and  obligations.  Avoid 
excess  use  of  jargon  unless  such  terms 
are  clearly  defined  in  the  statement 
of  work. 

■  Include  a  project  plan  with  a  clear  proj¬ 
ect  schedule.  All  dates  must  be  able  to 
be  readily  calculated.  Avoid  referring 
to  dates  as  “estimates.”  Avoid  calcula¬ 
tion  of  all  dates  from  the  “beginning  of 
the  project,”  without  the  date  of  that 
being  clearly  defined. 

■  Include  functional  and  technical 
specifications. 
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m  Remove  or  limit  extensive  lists  of  con¬ 
tingencies  on  the  contractor’s  perfor¬ 
mance.  Carefully  review  and  limit  any 
contractor  “assumptions”  in  the  SOW. 
The  vast  majority  of  contingencies  are 
very  general  in  nature  and  would  cre¬ 
ate  a  substantial  “out”  for  the  contrac¬ 
tor  or,  at  least,  provide  the  means  for 
the  contractor  to  charge  additional  fees. 

■  Avoid  references  to  an  associated 
proposal.  Proposals  may  contain  legal 
terms  that  could  conflict  with  the 
negotiated  agreement.  If  content  in 
the  proposal  is  relevant,  it  should  be 
directly  incorporated  into  the  SOW. 

■  Remove  language  that  would  allow  the 
SOW  to  override  or  conflict  with  the 
underlying  agreement. 

■  Ensure  the  language  in  the  SOW 
conforms  to  the  underlying  agreement. 
This  means  making  sure  defined  terms 
used  in  the  agreement  are  also  used  in 
the  Statement  of  Work. 

-Michael  Overly 
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HOWtO 

Fortify  Your 
Connection 


Any  CSO  knows  corporate  LANs  are 
inherently  more  secure  than  public 
Wi-Fi.  She  also  knows  that  propri¬ 
etary  or  confidential  information 
probably  passes  over  Wi-Fi  networks  every 
day.  Employees  connect  to  hot  spots  in 
airports  and  hotels  while  on  business  travel, 
they  access  the  Internet  through  their  home 
router  while  working  from  home  and  they 
use  public  Wi-Fi  to  check  company  e-mail 
while  taking  a  coffee  break  at  Starbucks.  It’s 
essentially  impossible  for  anyone  in  today’s 
business  climate  to  completely  avoid  public 
networks.  But  there  are  things  you  and  your 
employees  can  do-a  combination  of  aware¬ 
ness,  education  and  policy-to  mitigate  the 
risk  and  keep  your  company’s  IP  safe. 

Public  Wi-Fi  users  face  two  dangers: 
Sniffing:  “If  you’re  connected  to  an 
open  wireless  network  and  not  using  a 
sophisticated  authentication  or  encryption 
scheme,  anyone  in  the  vicinity  could  [poten¬ 
tially]  see  what  you’re  transmitting,"  says 
Amit  Sinha,  CTO  at  Web  security  and 
monitoring  vendor  AirDefense.  For 
example,  according  to  Sinha, 
if  you’re  checking  e-mail 
without  a  high  layer  of  encryp¬ 
tion  like  HTTPS  or  SSL,  hackers 
have  the  ability  to  capture  those 
wireless  packets  and  recreate  the 
e-mails  you’re  sending  back  and  forth. 
Encryption  makes  it  almost  impossible  for 
someone  to  decipher  that  information,  but 
for  the  majority  of  hot  spots,  unencrypted 


transactions  are  the  norm. 

Phishing:  Public  Wi-Fi  is  a  breeding 
ground  for  the  act  of  wireless  phishing,  says 
Sinha,  thanks  to  an  attack  known  as  an  “evil 
twin.”  In  this  scenario,  someone  forces 
connections  to  a  wireless  network  that  looks 
legit  but  isn’t.  A  hacker  could 
use  wireless  phishing  tools  like 
Hotspot  or  Karma  to  become  a 
man  in  the  middle  and  intercept 
communications  from  other 
computers,  says  Sinha. 

These  threats  are  pervasive, 
according  to  Ken  Dulaney,  a  vice 
president  and  analyst  at  Gartner. 

There’s  not  much  you  can  do  to  authenti¬ 
cate  and  encrypt  on  a  public  Wi-Fi  network 
because  you  don’t  control  the  access  point. 


But  you  do  control  the  endpoint.  Taking  a 
few  general  precautions  will  keep  you  safe, 
say  Dulaney  and  Sinha. 

Make  sure  laptops  are  properly  patched. 
Keep  antivirus  systems  running  and  up  to 
date.  Enforce  use  of  use  of  a  VPN.  This  will 
ensure  that  the  information  being  trans¬ 
ferred  over  the  network  is  encrypted  and 
undecipherable  to  potential  sniffers. 

If  you  take  these  preventive  measures, 
there  should  be  little  problem  with  Wi-Fi, 
says  Dulaney. 

Finally,  remind  employees  to  secure  their 
home  networks.  Since  the  home  access  point 
and  network  belong  to  them,  they  can  set  up 
proper  encryption  mechanisms,  like  Wi-Fi 
Protected  Access  (WPA). 

-Katherine  Walsh 
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We  take  for  granted  that  what  we  put 
online  will  be  available.  But  when  You¬ 
Tube  went  offline  for  the  better  part  of 
a  day,  it  highlighted  the  fundamental 
insecurity  of  Internet  routing,  accord¬ 
ing  to  researchers  and  Internet  registry  officials. 

The  problem  is  that  routing  depends  on  ISPs  advertis¬ 
ing  which  addresses  they  can  reach,  and  there’s  no  way  to 
check  their  claims.  “There’s  no  way  to  ensure  that’s  actu¬ 
ally  legitimate,”  says  Danny  McPherson,  chief  research 
officer  at  Arbor  Networks,  a  member  of  the  Internet 
Architecture  Board  and  the  author  of  several  books  on 
Internet  routing. 

In  one  sense,  the  YouTube  episode  was  predictable. 

It  happened  five  years  to  the  month  after  “The  National 
Strategy  to  Secure  Cyberspace” 
report  included  these  words:  “Prop¬ 
agation  of  false  routing  information 
in  the  Internet  can  deny  service 
to  small  or  large  portions  of  the 
Internet.  For  example,  false  routes 
can  create  ‘black  holes’  that  absorb 
traffic  destined  for  a  particular 
block  of  address  space.” 

A  black  hole  is 
exactly  where  YouTube 
went  when  Pakistan 
wanted  to  block  access 
within  its  borders  to 
an  “un-Islamic”  video  on  the  site. 
Pakistani  technicians  injected  false 
information  into  the  routing  system, 
claiming  a  shorter  path  to  YouTube. 
Unfortunately,  the  false  routing 
information  wasn’t  explicitly  limited 
to  Pakistan  and  propagated  through 
the  entire  Internet,  resulting  in 
everyone’s  YouTube  traffic  ending 
up  in  the  Black  Hole  of  Pakistan  for 
the  better  part  of  a  day. 

While  that  appears  to  have  been 
an  accident,  the  same  could  be  done  to  sabotage  Internet 
connections  or  to  mount  sophisticated  criminal  attacks 
against  corporations  or  governments.  For  example,  McPher¬ 
son  says  false  routing  information  could  be  used  to  redirect 
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data  to  a  criminal  site  to  harvest  account  information. 

The  subparts  of  the  Internet  use  a  protocol  called  BGP 
(Border  Gateway  Protocol)  to  tell  the  rest  of  the  Internet 
which  IP  addresses  are  reachable  through  them.  But 
McPherson  points  out  there  is  no  way  to  formally  verify 
that  a  routing  is  correct.  The  entities  making  up  the  Inter¬ 
net  can  verify  routings  within  their  borders  but  not  those 
from  outside. 

There’s  a  simple  way  to  solve  this  problem:  ISPs 
should  filter  routing  announcements,  says  McPherson. 
Some  ISPs  do  this,  but  not  all,  nor  are  they  required  to. 
Alternate  approaches  include  establishing  either  a  central 
registry  for  routing  information  or  some  kind  of  distrib¬ 
uted  authentication  mechanism. 

There  have  been  several  efforts  to  secure  routing, 
including  secure  versions  of  BGP  such  as  Secure  BGP 
and  Secure  Origin  BGP.  “Technologies  are  being 

batted  around  but  not  accepted,”  says  Mark 
Fosters,  CTO  of  the  American  Registry  for 
Internet  Numbers  (ARIN),  the  Regional 
Internet  Registry  (RIR)  that  assigns  IP 
addresses  in  North  America. 

ARIN  is  working  with  its  Asian  counter¬ 
part,  APNIC  (Asia  Pacific  Network  Information  Centre), 
and  IETF  (Internet  Engineering  Task  Force)  to  develop 
certificate-based  verification  methods  for  tracing  IP 
addresses.  But  that  is  some  ways  off. 

Meanwhile,  both  Fosters  and  McPherson  say  there  are 
several  things  companies  can  do: 

■  Require  your  ISP  to  filter  all  its  routing  announce¬ 
ments.  This  will  make  sure  that  none  of  its  customers 
announce  routes  to  IP  addresses  they  don’t  own.  This 
should  be  part  of  your  request  for  proposals  and  your 
bandwidth  contracts. 

■  Develop  an  interdomain  policy  for  what  IP  addresses 
you  can  make  public. 

■  Monitor  your  ISP’s  routing  structure. 

And  remember  this  warning  from  Fosters:  “The  whole 
area  of  Internet  routing  is  highly  insecure.”  -Rick  Cook 
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Building  a  Framework 
for  Success  with 


Business 

Continuity 


The  ability  to  seamlessly,  continuously  operate  a  business  in  an  era  of  instantaneous 
communications  across  globally  connected  networks  is  paramount  to  market  success. 

To  that  end,  disaster  recovery  and  business  continuity  have  emerged  as  strategies  no 
organization  can  do  without.  Too  often  on  the  front  lines  of  everyday  business,  however, 
good  intentions  and  working  plans  get  sidelined.  Whether  caused  by  complacency,  a  lack 
of  IT  knowledge  or  inadequate  funding,  many  companies  find  themselves  unprepared  for 
a  sudden  disruption — or  data  loss  that  could  prove  crippling,  if  not  fatal. 


here  are  no  easy  answers.  Managing  disaster 
recovery  and  business  continuity  can  stretch  budgets,  fray 
nerves  and  leave  IT  executives  pondering  how  to  get  the 
most  out  of  available  resources.  But  with  recovery  time 
objectives  (RTO)  and  recovery  point  objectives  (RPO) 
shrinking  and  budgets  stagnant,  business  and  IT  deci¬ 
sion  makers  must  cope  with  the  possibility  that  systems 
can  fail— due  to  either  human  or  natural  causes— and  that 
there’s  no  time  for  shipping  tapes,  transporting  people 
and  putting  all  the  pieces  back  together  again. 

To  be  sure,  it’s  an  entirely  different  business  environ¬ 
ment  than  in  times  past.  Today,  organizations  must  keep 
servers,  Web  sites,  and  databases  running  in  the  face  of 
adversity— all  while  making  data  accessible  to  those  who 
require  it  at  the  time  they  need  it.  As  the  president  and 
CIO  of  a  major  IT  consulting  firm  puts  it:  “It’s  all  about 
moving  past  the  old  world,  break- fix  mentality  and  invest¬ 
ing  the  money  and  time  to  build  a  strategic  model.” 

Disaster  Recovery:  Perception  versus  Reality 

Although  disaster  recovery  has  always  played  a  key  role  in 
keeping  a  business  operating,  the  events  of  9/11  created  a 
sense  of  urgency  that  transformed  IT  and  the  enterprise. 

A  few  years  after  9/11,  the  massive  New  York  City  blackout 
and  Hurricane  Katrina  in  New  Orleans  and  the  Gulf  Coast 
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reinforced  the  importance  of  backing  up  and  managing 
data.  To  be  sure,  the  threat  of  data  disruption  and  loss 
seemed  tangible  and  real.  An  organization  lacking  protec¬ 
tion  risked  seeing  its  most  valuable  assets  disappear  in  an 
instant. 

Unfortunately,  within  many  firms,  urgency  has  often 
faded  to  complacency.  An  IDG  Research  Services  survey 
of  100  respondents  from  the  corporate  world  found  that 
executives  rated  their  companies,  on  average,  a  B-  in 
terms  of  preparedness  for  a  human  or  natural  disaster. 
Remarkably,  38  percent  did  not  give  themselves  a  passing 
grade  for  human-caused  disaster  recovery  (such  as  power 
failure,  terrorism  and  hack  attack);  43  percent  reported 
they  were  not  prepared  for  a  natural  disaster  (such  as  a 
storm,  earthquake  or  hurricane);  and  68  percent  lack  the 
necessary  preparation  for  a  pandemic  (such  as  avian  flu, 
SARs  or  a  yet  unidentified  disease). 

While  these  grades  are  not  dropping— they  are  consis¬ 
tent  with  the  numbers  reported  in  2007— they  illustrate 
a  gaping  hole  that  exists  within  most  organizations.  Too 
often,  CIOs  and  other  IT  executives  wind  up  planning  for 
the  last  disaster  rather  than  anticipating  the  next  one. 

Still,  the  threat  remains  a  very  real  one.  For  instance, 
seven  in  10  respondents  in  the  IDG  Research  survey  have 
experienced  a  serious  network  outage;  just  more  than  half 
have  endured  a  hardware  failure;  and  slightly  less  than  half 
have  dealt  with  a  significant  power  failure.  In  addition,  just 
more  than  four  in  10  have  faced  an  application  or  operations 
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error.  Natural  disasters,  too,  present  challenges— though,  not 
surprisingly,  the  number  of  organizations  affected  by  various 
events  varies.  In  2008,  less  than  20  percent  of  respondents 
faced  a  hurricane,  flood,  earthquake,  or  tornado. 

A  decade  ago,  most  organizations  could  continue  to 
operate  in  the  face  of  a  network  outage.  Telephones  and 
faxes  allowed  conversations  and  essential  exchanges  to  take 
place.  Unfortunately,  that’s  no  longer  the  case.  As  one  CIO 
for  a  major  building  and  construction  company  puts  it:  “We 
have  so  many  satellite  locations,  and  so  much  data  that's 
being  gathered  in  so  many  locations  in  the  field  and  then 
transmitted  back  to  the  corporate  offices,  that  protecting 
our  data  aggressively  and  in  real  time  becomes  our  primary 
objective.”  Further  complicating  matters  for  many  firms:  If 
a  supplier  or  business  partner  suffers  an  outage,  the  prob¬ 
lems  can  ripple  throughout  the  entire  supply  chain. 

IT  executives  increasingly  recognize  that  disaster 
recovery  is  more  than  a  patchwork  of  backup  systems 
and  software  for  restoring  data.  It’s  essential  to  have  an 
optimized,  efficient  and  comprehensive  solution  in 
place.  And  the  challenges  aren’t  limited  to  tight  budgets 
and  corporate  priorities.  Infrastructure  management, 
sponsorship,  policies,  testing,  training,  change  manage¬ 
ment,  enterprise  support,  customer  requirements,  and 
workflow  all  enter  into  the  equation.  Without  taking  into 
account  the  sum  of  these  factors,  it’s  impossible  to  build 
and  maintain  a  system  that  can  stand  up  to  the  hardships 
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of  today’s  business  environment. 

The  bottom  line  results  are  significant.  Only  4  percent  of 
respondents  in  the  IDG  study  indicated  they  were  “extreme¬ 
ly  confident”  in  their  business  continuity  preparedness.  Less 
than  one-third  were  “very  confident”  and  about  45  percent 
reported  they  were  “somewhat  confident.”  These  numbers, 
while  indicating  that  organizations  are  addressing  business 
continuity  issues,  show  that  CIOs  and  other  IT  executives 
need  to  pay  closer  attention  and  take  a  more  comprehensive 
approach  to  managing  and  protecting  enterprise  data. 

Coping  with  a  Changing  Business  Environment 

It’s  no  secret  that  performance  pressures  are  growing.  Fifty- 
four  percent  of  organizations  now  face  an  RTO  of  less  than 
12  hours,  75  percent  have  an  RTO  of  less  than  24  hours,  and 
nearly  100  percent  have  established  an  RTO  of  48  hours.  IT 
executives  expect  the  windows  to  decrease  in  the  coming 
year;  nearly  two-thirds  think  they  will  have  a  four-hour  or 
less  RTO  in  place  by  2009,  and  98  percent  are  looking  at  a 
24-hour  RTO  window  within  the  same  time  frame. 

As  recovery  time  objectives  shrink  from  days  to  hours 
and  recovery  point  objectives  become  more  critical,  orga¬ 
nizations  must  seek  more  efficient  ways  to  tackle  disaster 
recovery  and  business  continuity. 

The  common  denominator  is  that  organizations  are 
now  examining  how  to  enhance  or  revamp  disaster 
recovery  and  business  continuity  services  already  in 

place.  In  fact,  the  IDG  study  found 
that  81  percent  of  organizations  are 
considering  changes.  Leading  areas 
of  focus  include  storage  replication 
(47  percent);  fail-over  (42  percent); 
virtualization  (37  percent);  outsourc¬ 
ing  to  a  third-party  provider  (22 
percent);  electronic  replication  (18 
percent);  automation  (17  percent); 
electronic  vaulting  (10  percent);  and 
grid  computing  (4  percent).  These 
results  were  mostly  in  line  with  find¬ 
ings  from  2007. 

Among  the  more  promising  of 
these  technologies  is  virtualization. 

It  enables  an  enterprise  to  optimize 
system  performance  through  load 
balancing,  boost  system  reliabil¬ 
ity  and  availability,  and  lower  the 
overall  costs  associated  with  disaster 
recovery  and  business  continu¬ 
ity.  Virtualization  creates  a  more 


0:  What  new  technologies 
or  services,  if  any,  is 
your  company  currently 
evaluating  or  considering 
to  enhance  or  replace  your 
current  business  continuity/ 
disaster  recovery  solution? 

Source:  IDG  Research  2007/2008 
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Advertising  Supplement 


efficient  environment  by  reducing  the  load  on  servers 
during  backups,  optimizing  resources  by  running  a  single 
software  agent  on  a  proxy  server  rather  than  installing  and 
managing  the  application  on  every  machine  across  the 
enterprise;  and  making  it  possible  to  utilize  Fibre  Channel 
tape  devices  and  virtual  machine  backups. 

Of  course,  virtualization  alone  can’t  transform  an  orga¬ 
nization;  it  is  merely  one  piece  in 
the  business  continuity  puzzle.  Its  As  3  result  of  todays  highly 
value  is  enhanced  within  organi-  complex  data  environment,  many 

zations  that  rely  almost  entirely  organizations  are  also  taking  a 

on  Intel-based  and  AMD -based  ....  ,  . 

.  ,  ,  close  look  at  managed  services. 

systems,  which  provide  support 

for  virtualization  features  and  technology.  Legacy  systems, 
including  mainframe  and  midrange  computers,  can  pose 
enormous  challenges  since  they  aren’t  able  to  run  virtual¬ 
ization.  This  can  translate  into  difficulties  virtualizing  data 
from  major  applications,  including  enterprise  resource 
planning  (ERP),  supply  chain  management  (SCM),  and 
manufacturing  resource  planning  (MRP)  on  legacy  systems. 

Any  array  of  other  tools  and  technologies  are  also  mak¬ 
ing  their  mark,  including  virtual  tape  systems,  storage  area 
networks  (SAN),  networked  attached  storage  (NAS),  Inter¬ 
net  Small  Computer  System  Interface  (iSCSI),  and  con¬ 
tinuous  data  protection  (CDP),  which  automatically  saves 
a  copy  of  every  change  made  within  e-mail,  documents, 
databases,  logs,  and  various  other  types  of  files.  However, 
installing  and  integrating  these  systems— and  keeping 
them  up  to  date— can  challenge  even  the  most  tech-sawy 
organization.  More  than  a  few  CIOs  have  found  themselves 
straining  under  the  weight  of  constantly  evolving  technolo¬ 
gies  and  rapidly  changing  business  conditions. 


Building  a  Better  Model 

The  end  goal,  of  course,  is  to  provide  uninterrupted  access 
to  critical  data.  As  a  result  of  today’s  highly  complex  data 
environment,  many  organizations  are  also  taking  a  close 
look  at  managed  services.  This  approach  offers  a  high  level 
of  customization  along  with  consulting  expertise.  It  also 
lets  an  organization  outsource  the  management  of  hard¬ 
ware  and  software  used  to  run  backups  and  restorations. 

For  many  companies,  this  approach  is  cost-effective  and 
thwarts  problems,  interruptions  and  breakdowns. 

An  advantage  of  turning  to  a  managed  services  provider 
is  that  it  can  develop  a  business  continuity  plan  and  ensure 
that  an  organization  has  the  right  resources  in  place.  The 
approach  also  reduces  IT  capital  expenditures  while  reduc¬ 
ing— if  not  eliminating— the  need  to  build  and  maintain 
separate  data  centers,  along  with  all  the  hardware  and 


software  required  to  keep  them  running  effectively.  A  good 
managed  services  provider,  with  geographically  dispersed 
facilities,  makes  it  possible  to  reconnect  to  data  after  a  dis¬ 
ruption— without  substantial  travel  and  adjustments. 

The  best  managed  services  providers  offer  recovery 
services  (including  systems  recovery,  trading  services, 
end-user  recovery,  voice  recovery,  and  mobile  recovery); 

network  services  (including  rout¬ 
ing,  bridging  and  re-direct);  soft¬ 
ware  tools  for  building  a  strategic 
plan  and  enhancing  the  deci¬ 
sion-making  process;  and  testing 
services  that  detect  errors,  speed 
up  the  recovery  process,  avoid  downtime,  and  ensure  data 
availability  and  integrity. 

This  approach  can  reduce  risk  and  maximize  return  on 
investment.  And  it  fits  with  today's  disaster  recovery  and 
business  continuity  environment.  IDG  Research  found 
that  65  percent  of  the  firms  surveyed  report  competing 
priorities,  41  percent  lack  the  necessary  personnel  to 
implement  and  manage  systems,  32  percent  face  techno¬ 
logical  limitations,  and  29  percent  suffer  from  little  or  no 
management  support.  For  many  organizations,  moving  to 
a  managed  services  strategy— with  a  qualified  provider— 
not  only  makes  sense  it  also  helps  manage  dollars  more 
effectively.  It  essentially  transforms  an  IT  and  business 
burden  into  a  competitive  advantage. 

Choosing  the  right  managed  services  provider  isn’t  a 
task  to  be  taken  lightly,  however.  It’s  essential  for  a  com¬ 
pany  to  have  adequate  network  capacity,  ample  band¬ 
width,  redundancy,  hardened  facilities,  and  a  track  record 
for  success.  At  the  same  time,  expertise  and  consulting 
experience  determine  whether  an  infrastructure  delivers 
on  its  promise  or  suffers  critical  failures  at  inopportune 
times.  A  managed  services  provider  must  operate  at  the 
lightning-fast  speed  of  today’s  business  environment  and 
ensure  that  the  solution  fits  the  enterprise  platform. 

The  road  to  effective  disaster  recovery  and  business 
continuity  isn’t  likely  to  get  easier  in  the  foreseeable  future. 
However,  with  the  right  planning,  preparation,  training, 
technology,  and  processes,  an  organization  can  position 
itself  for  success.  Make  no  mistake,  a  sound  business  conti¬ 
nuity  strategy  is  no  longer  an  option;  it’s  an  absolute  neces¬ 
sity.  In  today’s  high  stakes  global  economy,  it  can  determine 
whether  an  enterprise  flourishes  or  flounders. :: 

For  more  on  business  continuity,  including  the  research 
report  mentioned  in  this  article,  please  visit  the  Sungard 
solution  center  at  www.cio.com/solution-centers/sungard. 
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When  we  partner  with  you,  you  worry  less  about  the  road  ahead.  Here's  why:  a 
track  record  of  100%  successful  recoveries;  over  60  facilities  with  redundant 
power  connected  to  SunGard’s  secure  global  network;  and  more  than  20,000  end- 
user  positions  in  facilities  across  North  America  and  Europe.  SunGard  Availability 
Services— the  information  availability  solution  for  businesses  that  must  run  non-stop. 
Keep  moving,  call  1-800-468-7483  or  visit  www.availability.sungard.com. 


SUNGARD 

Availability  Services 


Keeping  People 
and  Information 
Connected.* 


From  virtualization  to  hot  sites  to  replication  and  vaulting— SunGard  Availability 
Services  does  it  all.  And  it’s  all  we  do.  That  kind  of  focus  helps  ensure  high  availability 
of  data,  applications  and  systems  and  fits  your  needs  and  budget  precisely. 


SunGard  Availability  Services  help  your  business  move  forward  with 
the  most  advanced  and  widest  choice  of  information  availability  options 
in  the  industry 


The  CSO  Executive  Seminar  Series™  on 


Produced  by: 


IDENTITY  &  ACCESS 


CSO 


BUSINESS  RISK  LEADERSHIP 


Thank  you  to  the  sponsors  of  our  CSO  Executive 
Seminar  Series  on  Identity  &  Access  Management 


Platinum  Sponsor: 

Novell 


Gold  Sponsors: 

oeSVif?  Avek'sa  CEI  ©SailPoint 


Silver  Sponsors: 

NetVision 


CSO 


corporate  events 

PARTNER 


APPLIED 

IDENTITY 


NetVlSIOrr  O  protegrity  (DSailPoinf 

w  ^  IDENTITY  RISK  MANAGEMENT 


www.CSOonline.com/events 


>>  BRIEFING 


Michael  Lynch, 
CSO  of  DTE  Energy 


METAL  THEFT 

Copper  Men 

Record  copper  prices  spur  theft 

In  February  2007,  CSO  exposed  the  epidemic 
and  security  threat  of  copper  theft.  At  the 
time,  Michael  Lynch,  CSO  of  Michigan  utility 
DTE  Energy,  gave  CSO  a  firsthand  look  at  the 
physical  security  challenge  facing  CSOs  like 
him.  Lynch  recently  sat  down  with  CSO  for 
another  look  inside  the  world  of  metal  theft 
and  an  update  on  Michigan’s  problems  and 
progress. 

CSO:  How  does  the  metal  theft  situation  at 
DTE  Energy  today  compare  with  what  was 
going  on  when  the  original  story  was  first 
reported  in  the  fall  of  2006? 

Michael  Lynch:  It’s  accelerated.  Last  year  we 
had  over  400  incidents  of  energized  conductor 
theft.  That  means  that  every  day,  multiple 
times  a  day,  someone  was  stealing  live  copper 
wires.  Last  year  it  cost  us  well  over  $12  million 
to  restore  service  when  the  wires  were  stolen. 

What  measures  have  you  been  taking  to 
combat  metal  theft? 

We’ve  had  a  terrific  response  from  the  Detroit 
police  department.  They  recognize  that  this 
isn’t  just  a  nuisance  crime,  it’s  a  serious  crime 
that’s  attacking  the  infrastructure  of  the  city. 


It’s  also  affecting  public  safety.  If  someone 
takes  down  a  wire  and  we  don’t  immediately 
know  about  it  and  someone  steps  on  it,  the 
result  could  be  a  serious  injury.  With  law 
enforcement  engaged,  we’ve  established  a 
task  force  that  meets  once  a  week.  It’s  made 
up  of  representatives  from  the  electric  indus¬ 
try,  communications  industry  and  the  police 
department. 

what  are  some  of  the  initiatives  you’re 
working  on? 

We  go  door  to  door  talking  to  people,  sharing 


information  and  raising  awareness.  We  do 
some  private  patrolling  in  the  hopes  of  catch¬ 
ing  people  either  stealing  the  wire  or  burning 
the  sheathing  off  to  get  to  the  copper.  We 
give  $1,000  for  information  that  leads  to  the 
arrest  of  someone  stealing  our  wire.  Police 
conducted  roughly  a  dozen  raids  in  the  last 
year.  We  also  give  a  reward  of  $2,500  for 
information  that  leads  to  the  arrest  of  anyone 
buying  the  copper  illegally.  These  middlemen 
typically  pay  thieves  half  of  the  actual  value 
of  the  copper  and  sell  it  to  the  scrap  yard.  We 
were  able  to  shut  down  one  such  operation 
entirely  through  a  tip  we  received  from  that 
reward  program. 

Where  does  copper  theft  lie  on  your  list  of 
security  concerns  today? 

From  an  operational  standpoint,  it’s  the  most 
significant  threat  we  have. 

What  needs  to  happen  in  order  for  you 
to  feel  like  you’re  not  constantly  playing 
catch-up? 

We  don’t  have  a  problem  catching  criminals; 
the  problem  is  what  happens  when  they  get 
in  front  of  a  judge.  I  was  part  of  a  team  of 
prosecutors  and  police  that  recently  met  with 
a  group  of  circuit  court  judges  about  the  issue, 
so  we  are  making  progress.  The  legislation  is 
helpful,  but  it  has  to  come  down  to  what  hap¬ 
pens  when  the  judge  hits  his  gavel. 

-Katherine  Walsh 


SPAM  ALERT 

You’ve  Got 
Backscatter 

Seven  questions 
about  a  very  annoying 
e-mail  problem 

What  is  backscatter? 

E-mail  bounceback  messages. 
Backscatter  occurs  when  a  mail 
server  accepts  spam  e-mail  from 
a  legitimate  server,  determines 
that  the  address  is  nonexistent 
and  then  bounces  it  back  to  its 
(forged)  address. 


why  is  it  called  back¬ 
scatter?  The  term  comes  from 
physics,  where  it  refers  to  the 
reflection  of  particles  or  radia¬ 
tion  back  to  their  source. 

How  many  kinds  of 
backscatter  exist?  There 
are  three  types:  mail  server 
messages  saying  that  there  is  no 
such  user  available;  out-of-office 
automated  reply  messages;  and 
challenge-response  messages, 
which  tell  the  sender  that  his 
message  will  be  delivered  once 
he  responds  to  the  bounceback 
and  confirms  that  the  e-mail 
is  coming  from  a  legitimate 
address. 


when  did  backscat¬ 
ter  start?  About  five  years 
ago.  Ironically,  backscatter 
is  the  result  of  tighter  spam 
filtering.  When  e-mail  servers 
started  rejecting  messages  from 
nonexistent  domains,  spammers 
started  using  real  domain  names. 

How  do  the  spammers 
get  your  e-mail  address? 
They  either  skim  it  off  a  webpage 
or  guess  it. 

How  big  a  problem  is  it? 

Security  firm  Sophos  estimates 
that  between  2  percent  and  3 
percent  of  all  e-mail  messages 
are  backscatter.  Some  people 
have  reported  getting  thou¬ 


sands  of  backscatter  messages 
per  day.  In  March,  an  ISP  went 
offline  after  being  hit  with 
10,000  bounceback  messages 
per  second. 

How  can  it  be  stopped? 

Security  experts  say  that  most 
backscatter  could  be  stopped 
if  ISPs  simply  configured 
their  mail  servers  to  reject 
e-mail  bound  for  nonexistent 
addresses.  Backscatter  would 
then  go  back  to  the  server 
that  was  sending  it.  New  mail 
standards  like  Sender  Policy 
Framework  (SPF)  and  Domain- 
Keys  could  solve  the  problem. 

-Robert  McMillan 


* 


14  www.csoonline.com  June  2008 


Photo  by  Rachel  Holland 


mm 


so  are  we. 


If  it’s  worth  storing,  it’s  worth  stealing.  We  know 
because  we’re  SecureWorks,  and  nobody  is 
better  positioned  to  defend  your  network.  Our 
client-dedicated  security  analysts  work  round- 
the-clock  supported  by  the  industry-leading 
counter-threat  unit  and  state-of-the-art  threat 
correlation  platform  —  all  to  ensure  your 
company  and  your  reputation  remain  intact. 


Secure  -;*rks 


www.secureworks.com 


©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 


Your  next 
attacker  will  be 
highly  motivated 


Fortunately, 


SURVEILLANCE 

Big  Brother 
Needs  Glasses 

A  British  law  enforcement  official 
says  the  country's  more  than 
4  million  cameras  have  done 
little  to  prevent  street  crime 

Closed-circuit  cameras  are  so  widely  used 
that  we  now  bemoan  the  surveillance 
society  and  regularly  invoke  the  idea 
of  Big  Brother.  So  it  made  news  when 
a  British  law  enforcement  official  said  the 
country’s  more  than  4  million  cameras  have 
done  little  to  prevent  street  crime. 

British  law  enforcement  has  been  able  to 
solve  only  3  percent  of  the  street  robberies 
in  Britain,  says  Mick  Neville,  detective  chief 
inspector  and  head  of  the  Visual  Images,  Identi¬ 
fications  and  Detections  Office  at  New  Scotland 
Yard.  Neville,  speaking  at  the  Security  Docu¬ 
ment  World  Conference  in  London  in  May,  said 


billions  have  been  spent  to  install  the  cameras. 

“It’s  been  an  utter  fiasco,”  Neville  said, 
according  to  widely  published  reports. 
“There’s  no  fear  of  CCTV.  Why  don’t  people  fear 
it?  [They  think]  the  cameras  are  not  working." 

Several  problems  undermine  the  use  of 
cameras: 

■  Images  taken  from  the  cameras  are  often 
not  good  enough  to  use  in  court. 

■  It  takes  hours  to  search  video  to  find  those 
images-time  officers  are  reluctant  to 
spend,  especially  for  solving  petty  crimes. 

■  The  cameras  require  maintenance  and 
have  been  found  pointing  in  the  wrong 
direction  or  lacking  film. 

By  the  same  token,  CCTV  has  helped  in 
some  high-profile  cases.  And  it  does  seem 
to  work  in  parking  lots  and  other  semi-open 
spaces,  according  to  studies  reported  in  The 
Independent. 

Neville  called  for  several  measures  to 
improve  the  way  CCTV  is  used  in  preventing 
crime:  more  training  for  officers  in  how  to 
find  images  they  can  use  in  court  to  convict 
accused  criminals;  establish  a  London-wide 


SOME  FACTS  AND  FIGURES 
ABOUT  CCTV  IN  BRITAIN: 

4.2  million 

Estimated  number  of  CCTV 
cameras  in  the  U.K. 

32 

Number  of  cameras  within 
200  yards  of  where  George 
Orwell  wrote  1984 

1942 

First  CCTV  system  installed  (in 
France) 


estimated  number  of  CCTV 
cameras  in  London  homes 

20 

Number  of  areas  in  the  U.K. 
that  have  talking  CCTV 


Number  of  cameras  that  will 
be  used  to  police  the  London 
2012  Olympics 

Source:  Jill  Dando  Institute  of 
Crime  Science,  Mirror.co.uk 


database  of  images  from  CCTVs  and  eventu¬ 
ally  a  national  database  of  the  images;  use 
software  to  parse  images  for  logos  that  can 
be  used  to  search  video  images  more  broadly 
to  help  find  better  images  of  criminals  taped 
in  the  act,  but  whose  faces  are  out  of  focus 
or  obscured;  and  post  images  of  suspected 
criminals  on  the  Internet. 

In  other  words,  Big  Brother  needs  glasses. 

-Michael  Fitzgerald 
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I  am  fearless. 

I  am  CSO  for  a  major 
telecommunications  company 

I  protect  more  than  just  data 

I  secure  our  brand 
and  our  reputation 

I  know  confidence 
drives  innovation 

I  am  fearless 
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Secure  Enterprise  Data.  When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail. 

But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can  move 
your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of  the 
Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/windsurf/cso 


The  Security  Division  of  EMC 
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Potent 

Quotables 

“You  can't  patch  stupid" 

-Overheard  numerous  times 

“lam  not  really  sure 
what  the  future  holds 
for  cryptography  but  I 
am  sure  that  within  the 
next  10  years  there  will 
be  gene  splicing  that 
allows  women  to  repro¬ 
duce  without  men." 
-Whit  Diffie,  during  the 
Cryptographers’ Ball  panel 

Question  from  panelist: 

“Do  you  perform  your 
home  banking  on  the 
same  PC  that  your  kids 
use  for  social  network¬ 
ing  and  if  so,  do  you  feel 
secure?" 

Answer  from  audience: 

“Yes,  because  the  bank 
is  responsible  and 
liable!" 

-Jeff  Bardin 


Q& A 

THE 

GUARDING 
OF  THE 
PRESIDENT 

Robert  Rodriguez  tells  how 
the  Secret  Service  will  keep 
the  candidates  safe 

Since  the  assassination  of  Democratic 
candidate  Robert  Kennedy  in  June  1968, 
the  Secret  Service  has  been  required  to 
protect  presidential  and  vice  presidential 
candidates  within  120  days  of  the  general 
election.  (When  Kennedy  was  assassinated, 
Secret  Service  protection  was  limited  to  the 
incumbent,  but  President  Lyndon  Johnson  had 
withdrawn  from  the  race.)  If  warranted,  can¬ 
didates  can  request  security  earlier,  as  Barack 
Obama  did  in  May  2007,  the  earliest  such 
request  in  the  history  of  the  Secret  Service. 

For  an  inside  look  at  candidate  protection, 
CSO  spoke  with  Robert  Rodriguez,  who  spent 
more  than  22  years  as  a  special  agent  with 
the  Secret  Service.  During  that  time,  he  held 
roles  in  executive  protection,  protective  intel¬ 
ligence  and  criminal  investigations.  He  also 


spent  eight  years  at  the  White  House  serving 
Presidents  Reagan,  Bush  and  Clinton. 

CSO:  What  elements  of  protection  for  the 
president  translate  over  to  protection  for 
a  presidential  candidate? 

Robert  Rodriguez:  The  resources  are 
more  robust  for  an  acting  president.  But  the 
protective  role,  the  model,  the  response  and 
the  training  are  the  same.  The  Secret  Service 
agents  are  taught  a  standard  and  protocol 
from  day  one,  creating  a  culture  of  preventa¬ 
tive,  proactive  thinking. 

How  does  this  presidential  campaign  com¬ 
pare  with  past  campaigns? 

Barack  Obama  requested  protection  earlier 
than  any  other  candidate  thus  far.  The  adjust¬ 
ment  of  primary  dates  affects  things.  In  the 
past,  candidates  were  eliminated  earlier, 
which  reduces  the  commitment  and  load 
of  the  Secret  Service  personnel.  In  terms 
of  threats,  risks  and  vulnerabilities  related 
to  our  protectees  today  versus  10  or  20  years 
ago,  9/11  is  a  factor.  That  said,  typically 
the  lone  assassin  has  been  a  challenge 
for  us. 

What  scenarios  would  you  plan  for? 

One  scenario  is  an  event  where  everyone  has 
gone  through  magnetometers,  the  full  support 
of  the  Secret  Service  is  present  and  a  rope  line 
is  keeping  the  candidate  separate  from  the 
audience.  We  also  plan  for  impromptu  stops  on 
the  street  where  people  haven’t  been  checked, 
or  if  the  candidate  is  attending  a  fund-raising 
event,  or  giving  a  speech  in  a  gym. 

Does  the  level  of  protection  given  to  the 
candidate  depend  on  the  circumstance? 

Basic  protection  consists  of  the  immediate 
detail,  a  detail  leader  and  the  shift  supervisor. 
The  standard  protection  is  at  least  two  details 
on  the  campaign  trail,  sometimes  a  third. 

They  rotate  every  three  weeks.  There  will 
be  considerably  more  protection  moving  into 
the  general  election.  The  Secret  Service 
will  start  to  provide  countersniper  teams, 
counterassault  teams,  magnetometer  teams, 
K9  units  and  countersurveillance  units,  for 
example. 

- Katherine  Walsh 

Secret  Service  agents  stand  guard  as 
Democratic  presidential  hopeful  Sen.  Barack 
Obama  and  his  wife,  Michelle  Obama,  eat 
cheese  steaks  in  Philadelphia. 
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By  Mary  Brandel 


Message  Received 

A  look  at  tools  for  taking  due  care  with  enterprise  instant  messaging 


Many  don’t  even  know  whether  employees 
are  using  IM. 

Enter  IM  security  software.  Whether 
in  the  form  of  appliances,  hosted  solutions, 
software  modules  or  features  of  other  Web 
and  e-mail  security  systems,  the  role  of 
IM  security  is  to  protect  against  inbound 
threats  like  viruses,  worms,  spyware  and 
messaging  spam  (also  called  SpIM);  use  con¬ 
tent  filtering  to  prevent  outbound  threats 
caused  by  information  leakage;  log  and 
archive  all  IM  conversations;  and  ensure 
compliance  through  policy  enforcement, 
auditing,  archiving  and  access  controls. 

Market  Outlook 

The  IM  security  market  is  dominated  by 
three  companies  with  products  that  were 
originally  dedicated  solely  to  protecting 
IM:  FaceTime,  Akonix  and  Symantec  (after 
it  acquired  IMlogic).  But  a  growing  number 
of  companies  offer  components  of  IM  secu¬ 
rity,  including  Web  security  gateway,  e-mail 
compliance,  archiving  and  security  provid¬ 
ers  like  St.  Bernard  Software,  Trend  Micro, 
Barracuda  Networks,  Secure  Computing 
and  Websense. 

Other  companies,  such  as  MessageLabs, 
Postini,  MX  Logic  and  FrontBridge,  offer 
hosted  IM  security  solutions. 

According  to  Firstbrook,  Akonix  and 
FaceTime  are  ripe  for  acquisition  by  a 
larger,  established  security  vendor.  “You 
don’t  want  to  treat  I M  as  an  island  because 


Messaging  security  is  not 
just  for  e-mail  anymore, 
especially  with  more 
employees  using  public 
instant  messaging  plat¬ 
forms  in  the  workplace.  According  to  Gart¬ 
ner  analyst  Peter  Firstbrook,  public  IM  has 
become  an  e-mail  alternative  for  viruses  and 
other  malware.  IM  security  vendor  Akonix 


reported  recently  that  it  had  tracked  20  new 
pieces  of  malicious  code  in  February,  an 
increase  of  43  percent  over  January.  On  the 
outbound  side,  IMs  can  contain  objection¬ 
able,  illegal  or  otherwise  sensitive  content. 

At  the  same  time,  only  10  percent  of 
organizations  have  formal  IM  policies, 
according  to  a  2007  Burton  Group  survey. 
Of  those,  only  half  secure  the  application. 
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it’s  not,”  he  says.  IM  authentication,  threat 
protection  and  archiving  will  likely  be 
subsumed  by  vendors  of  antivirus  soft¬ 
ware,  established  gateway  devices  (fire¬ 
walls,  proxy  servers  and  URL  filters)  and 
archiving  vendors,  Firstbrook  says. 

Meanwhile,  IM  infrastructure  ven¬ 
dors  such  as  Microsoft  and  IBM  will  likely 
enhance  native  IM  security  requirements, 
increasingly  marginalizing  vendors  dedi¬ 
cated  to  IM  security,  he  says. 

Key  Strategies 

It’s  important  to  focus  on  the  threats  posed 
by  phishing,  malware  and  blended  attacks, 
since  IM  is  particularly  susceptible  to  social 
engineering  tricks.  IM  users  are  not  as  sus¬ 
picious  about  embedded  URLs  and  file 
attachments  as  their  e-mail  brethren,  espe¬ 
cially  because  attackers  can  infiltrate  IM 
buddy  lists,  making  it  appear  as  though  the 
fraudulent  message  originated  from  an  IM 
contact.  In  addition,  IM’s  real-time  nature 
causes  malware  to  spread  rapidly. 

However,  a  growing  number  of  compa¬ 
nies  are  also  interested  in  finding  a  tool  that 
tracks,  audits  and  even  blocks  certain  IM 
conversations,  to  avoid  leakage  of  intellec¬ 
tual  property,  enforce  acceptable-use  poli¬ 
cies  and  comply  with  regulations  and  legal 
restrictions.  This  became  a  larger  issue  in 
December  2006  when  the  Federal  Rules  of 
Civil  Procedure  made  IMs  discoverable  evi¬ 
dence  in  court. 

At  the  Screen  Actors  Guild  Producers 
Pension  and  Health  Plans  division,  for 
instance,  assistant  CIO  Kevin  Donnellan 
worries  about  protecting  the  private  health 
information  of  the  organization’s  member¬ 
ship,  which  includes  some  high-profile 
actors.  Three  years  ago,  however,  he  had 
no  idea  who  was  using  IM  within  the  orga¬ 
nization,  let  alone  what  types  of  informa¬ 
tion  they  were  sending  around.  To  comply 
with  HIPAA  regulations,  Donnellan  imple¬ 
mented  IMlogic  [before  it  was  acquired  by 
Symantec]  and  used  the  granular  controls 

Consumer-based 
IM  protocols  are 

proprietary 
and  constantly 
evolving. 
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to  authorize  IM  use  only  to  users  who 
could  prove  they  had  a  business  need  for 
it.  “Maybe  we’re  a  little  old-school,  but  we 
don’t  give  IM  to  every  staff  member  who 
comes  on  board,”  Donnellan  says.  “We 
have  a  regulatory  responsibility  to  protect 
patient  information.” 

Appliance  or  Hosted? 

Companies  can  choose  between  imple¬ 
menting  server-based  software,  an  appli¬ 
ance-based  solution,  a  hosted  platform 
or  a  hybrid  approach.  According  to  IDC 
(a  sister  company  to  CSO’s  publisher),  the 
messaging  security  market  will  more  than 
double  from  $2  billion  in  2006  to  $4.8  bil¬ 
lion  in  2011.  Among  the  components  of  the 
market— software,  appliance  and  hosted 
services— IDC  predicts  hosted  services  will 
be  the  fastest-growing. 

Buzzword  Alert 

According  to  Maurene  Caplan  Grey,  founder 
of  Grey  Consulting  in  Kent  Lakes,  N.Y.,  any 
communication  that  travels  over  IP  is  a 
candidate  for  some  type  of  security  breach, 
including  Web  mail,  blogs,  IM,  VoIP,  P2P 
networks  and  Web  conferencing.  This  has 
led  IM  security  vendors  to  add  more  cover¬ 
age  to  their  wares,  beyond  IM.  As  often  hap¬ 
pens,  a  buzzword  has  emerged  to  describe 
this  effort:  unified  communications  strategy. 
Caplan  Grey  says  to  ignore  the  buzzword 
and  focus  on  what  types  of  communications 
the  vendor  protects  today,  what  that  protec¬ 
tion  means,  what  they  plan  to  protect  in  the 
future,  its  affiliations  and  OEM  partners. 

Evaluation  Criteria 

Key  aspects  of  IM  security  include  archiving, 
authorization,  compliance,  manageability, 
content  inspection,  spam-over-instant- 
messaging  (SPIM)  protection,  IM  identity 
registration,  monitoring  and  integration 
with  other  security  systems. 

Increasingly,  companies  want  to  man¬ 
age  IM  in  accordance  with  other  messaging 
media.  Look  for  integration  with  enterprise 
IM  systems,  public  IM  systems,  e-mail 
archival  solutions,  antivirus  systems,  cor¬ 
porate  directories  and  firewalls. 

Dos  and  Don’ts 

DON’T  think  your  bases  are  covered  with 
a  corporate  IM  system.  Corporate  IM  pro¬ 
vides  some  controls  and  security,  but  ana¬ 


lysts  say  additional  security  is  needed  to 
fully  address  the  risks  of  IM.  This  includes 
restricting  and/or  managing  public  IM  and 
complying  with  regulations  that  require 
auditing  and  archiving. 

At  CEVA  Logistics,  employees  were  pre¬ 
viously  allowed  to  instant  message  using 
Microsoft  Live  Communications  Server 
with  security  provided  by  the  company’s 
Check  Point  Software  firewall. 

But  when  CEVA  Global  Network  Opera¬ 
tions  Manager  Tony  Taylor  grew  concerned 
about  complying  with  the  Sarbanes-Oxley 
Act’s  auditing  regulations,  he  tried  taking 
IM  away  from  employees  altogether.  In  the 
end,  because  some  customer  contracts  stip¬ 
ulated  the  use  of  real-time  IM  communica¬ 
tions,  he  decided  to  implement  FaceTime’s 
IMAuditor.  “It  allowed  us  to  secure  the  LCS 
environment,  and  people  can  also  use  third- 
party  IM  clients,”  Taylor  says. 

DO  ensure  that  ever-changing  IM  pro¬ 
tocols  are  supported.  Consumer-based  IM 
protocols  are  proprietary  and  constantly 
evolving,  so  it’s  important  for  the  IM  secur¬ 
ity  vendor  to  be  able  to  continuously  update 
protocol  signatures  on  the  firewall. 

DO  consider  encryption.  Some  ven¬ 
dors,  such  as  Presensoft  and  Secure  Com¬ 
puting  (with  its  CipherTrust  IronIM),  offer 
encryption  for  IM  transmissions.  In  addi¬ 
tion,  FaceTime  stores  IM  messages  in  an 
encrypted  database. 

DO  get  a  sense  of  how  forward-thinking 
the  vendor  is.  The  world  of  IP  messaging  is 
constantly  evolving,  from  IM  protocols  to 
downloadable  applications,  and  so  are  the 
attacks  that  threaten  security.  That’s  why 
it’s  important  to  ask  vendors  about  future 
plans— the  next  new  threat  they’re  work¬ 
ing  on  and  what  you  should  be  thinking 
about  over  the  next  year.  “You  need  to  find 
out  what’s  on  their  road  map,”  Caplan  Grey 
says.  “Get  a  picture  of  who’s  the  most  for¬ 
ward-thinking  and  who  has  the  funds  and 
R&D  staff  to  execute  on  those  plans.”  And 
because  threats  to  IP  messaging  are  often 
blended  threats  (for  instance,  enticing 
users  to  click  on  a  URL  that  exposes  them 
to  bots  or  identity  theft),  vendors  need  to 
provide  security  across  different  media,  in 
a  similarly  blended  way,  she  says. 

DON’T  overlook  your  current  security 
providers.  It’s  very  likely  that  your  current 
security  providers— of  Web  filtering,  fire¬ 
wall,  virus  protection,  spam  filtering,  data 
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THREE  KINGS 

The  “Big  Three”  of  instant 
messaging  security  are  FaceTime, 
Akonix  and  Symantec,  with  its 
acquisition  in  2006  of  IMIogic.  Here 
is  a  snapshot  of  each  company: 

FaceTime’s  Enterprise  Edition  and  Internet  Secu¬ 
rity  Edition  provide  visibility,  security  and  control  for 
Web  browsing,  IM,  P2P,  Skype  and  Web  conferenc¬ 
ing.  The  company’s  software  allows  organizations  to 
implement  policies  that  detect,  secure  and  manage 
real-time  collaborative  applications  while  preventing 
inbound  malware  threats,  minimizing  information 
leakage  and  controlling  employee  Internet  use. 

FaceTime  integrates  with  Skype,  Web  conferenc¬ 
ing  platforms  (Webex),  public  IM  networks  (AIM, 
Yahoo,  MSN,  GoogleTalk,  ICQ  and  more),  as  well  as 
with  enterprise  IM  platforms  and  professional  com¬ 
munity  networks  (Microsoft,  IBM,  Antepo,  Jabber, 
Parlano  MindAlign,  Reuters,  Bloomberg,  Communi¬ 
cator  and  PivotSolutions). 

The  company  has  been  ranked  number  one  in 
IM  market  share  by  IDC  (a  sister  company  to  CSO’s 
publisher)  for  four  consecutive  years. 

Akonix’s  L7  Enterprise  suite  delivers  IM  policy  man¬ 
agement  and  enforcement,  archiving,  content  scan¬ 


ning,  reporting  and  protection  for  communications 
media  such  as  instant  messaging,  online  conferenc¬ 
ing,  VoIP  and  electronic  fax. 

Through  business  alliances  and  integration, 
Akonix  supports  enterprise  IM  platforms  and 
professional  community  networks  such  as  Reuters, 
Microsoft,  IBM,  Jabber  and  Bloomberg,  as  well  as 
message  archiving  through  EMC,  HP,  Symantec, 

Iron  Mountain,  Zantaz,  Intradyn,  C2C,  Fortiva,  Quest 
Software  and  others. 

According  to  Gartner,  Akonix  has  a  large,  installed 
base  of  clients  with  many  “marquee”  names, 
although  it  has  lost  some  momentum  compared  with 
its  chief  rivals,  IMIogic  (Symantec)  and  FaceTime. 

Symantec  IM  Manager  2007  manages,  secures,  logs 
and  archives  corporate  IM  traffic,  with  certified  sup¬ 
port  for  public  and  enterprise  IM  networks,  including 
granular  policy  enforcement  and  security  controls 
for  files,  audio,  video,  VoIP,  application  sharing  and 
other  real-time  communication  capabilities. 

Symantec  also  offers  integrated  archiving  and 
compliance  for  IM  through  its  Enterprise  Vault  solu¬ 
tion,  as  well  as  protection  against  viruses,  blended 
threats  and  other  vulnerabilities  through  Symantec 
Security  Response. 

As  a  large  security  vendor,  Symantec  has  the  deep 
pockets  to  continuously  add  support  for  the  ever¬ 
growing  number  of  IM  threats,  as  well  as  the  increas¬ 
ing  number  of  IP-based  messaging  media,  according 
to  Maurene  Caplan  Grey,  founder  of  Grey  Consulting 
in  Kent  Lakes,  N.Y.  -M.B. 


leakage  software,  etc.— are  building  out 
their  messaging  security  portfolios  either 
through  partnerships  or  acquisitions. 
That’s  why  Caplan  Grey  urges  users  to  ask 
current  providers  about  their  plans  in  this 
area.  “You  may  be  able  to  take  advantage  of 
licensing  savings,  integration  or  support 
advantages,”  she  says. 

DO  ask  how  the  system  protects  against 
malware:  While  vendors  such  as  FaceTime, 
Akonix  and  Symantec  continually  update 
their  virus  signatures,  protecting  against 
IM  viruses  requires  other  evergreen  tactics, 
according  to  a  FaceTime  spokesperson. 

For  instance,  the  product  can  unmask 
a  bot  by  asking  simple  questions  that 
require  a  human  response,  like,  “What 
is  2  +  2?”  “That  could  stop  even  zero-day 
threats  before  they’re  detected,”  she  says. 
The  system  also  keeps  an  eye  out  for  any¬ 
one  sending  too  many  messages  all  at  once, 


since  that’s  usually  a  sign  they’re  infected 
with  something.  “It’s  one  thing  to  run  sig¬ 
natures,  but  you  also  need  proactive  mea¬ 
sures,  which  stops  unwelcome  behavior 
on  the  network,”  Firstbrook  agrees.  For 
instance,  you’d  want  a  system  to  detect 
and  then  isolate  any  computer  displaying 
bot-like  behavior,  such  as  opening  multiple 
sessions  in  a  small  time  frame,  he  says. 

DON’T  treat  IM  security  as  an  island. 
While  vendors  such  as  IMIogic,  FaceTime 
and  Akonix  all  got  their  start  by  offering 
dedicated  IM  security  tools,  the  trend  is  to 
protect  not  just  IM  but  all  messaging  from 
one  platform,  Firstbrook  says.  That’s  why 
Symantec’s  Enterprise  Vault,  for  instance, 
archives  data  from  e-mail,  IM,  content 
management  and  collaboration  systems, 
and  its  antivirus  system  includes  IM  virus 
definitions. 

In  addition,  FaceTime  offers  not  just 


I M  Audit  or  but  also  Unified  Security  Gate¬ 
way,  which  integrates  management,  security 
and  compliance  for  Web  communications, 
consumer-driven  Web  applications  (such 
as  public  IM,  Skype  and  P2P)  and  enter¬ 
prise  IM  platforms.  Taylor  currently  uses 
IMAuditor,  for  instance,  but  is  testing  its 
USG  product  and  plans  to  upgrade. 

For  its  part,  Secure  Computing  rolls  IM 
control  into  its  e-mail  security  appliance, 
and  Akonix  partners  with  FrontBridge 
Technologies  to  enable  an  integrated, 
hosted  archiving  and  compliance  solu¬ 
tion  for  both  e-mail  and  instant  messaging. 
“You  don’t  want  to  archive  IM  in  a  separate 
archive  or  treat  it  differently  from  a  policy 
perspective,”  Firstbrook  says.  ■ 


Mary  Brandel  is  a  freelance  writer  outside  Bos¬ 
ton.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 
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EXCLUSIVE 


SURVEY 


By  Derek  Slater 


There’s  no  better  way  to  put  it:  The  secu¬ 
rity  world  is  powering  up.  CSOs  are  more  skilled, 
equipped  with  better  credentials  for  engaging  with 
the  business  world,  reporting  higher  in  their  organi¬ 
zations  and  lasting  longer  in  their  jobs. 

As  with  any  good  sports  team,  of  course,  there’s 
no  declaring  victory  until  the  season  is  over.  And  the 
season  is  never  over.  So  this 
special  issue  of  CSO  aims  to 
continue  the  process  of  build¬ 
ing  stronger  leaders  in  order  to 
strengthen  the  security  profes¬ 
sion  itself. 

To  that  end,  we’ve  supplied 
data  from  our  exclusive  “State 
of  the  CSO  2008”  survey 


(Page  26)  and  then  provided  practical 
looks  at  three  critical  to-dos  for  security 
leadership:  expanding  your  knowledge 
base  outside  the  borders  of  “security” 
(Page  28),  refreshing  business  commu¬ 
nication  skills  (Page  32),  and  applying 
financial  concepts  (Page  36). 

These  ideas  and  areas  of  expertise 
are  becoming  more  prevalent  among 
CSOs;  the  next  phase  of  development 
will  be  to  drive  the  same  knowledge  and 
skill  sets  down  into  the  roots  of  every 
security  department. 

Here’s  to  continued  progress. 


Illustration  by  Brian  Stauffer 
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More  Power  to  You 

WHERE  SECURITY  reports  on  the 
organizational  chart  is  a  good  barometer 
of  the  profession’s  standing.  For  the  first 
time,  the  number  of  respondents  who 
report  directly  to  the  CEO  or  president 
of  their  organization  is  equal  to  the  num¬ 
ber  reporting  to  the  technical  function. 
That’s  the  first  sign  of  expanding  influ¬ 
ence.  Respondents  working  for  the  COO 
has  also  increased,  suggesting  perhaps 
the  growing  view  of  security  as  an  opera¬ 
tion  risk  management  pursuit. 


To  whom  do  you  directly  report? 


2008 

2003 

CIO  or  CTO 

22% 

30% 

CEO/President 

21% 

12% 

COO  or  equivalent 

11% 

6% 

CFO  or  equivalent 

5% 

5% 

General  Counsel/Legal 

4% 

2% 

Other 

37% 

34% 

Response  base:  290  in  2008 
survey;  408  in  2003  survey 


CERTIFICATIONS  REMAIN  important, 
but  the  big  story  here  is  the  astonishing 
and  encouraging  increased  number  of 
security  leaders  who  hold  an  MBA.  In 
2003,  14  percent  could  hang  an  MBA 
on  their  office  wall.  Today,  that  num¬ 
ber  has  risen  to  more  than  a  quarter  of 
respondents. 


Which  of  the  following  degrees 
and/or  certifications  do  you  hold? 
(Multiple  responses  possible.) 


MBA 

26% 

CISSP 

23% 

Military  or  law  enforcement 

14% 

CISA 

11% 

CPP 

11% 

JD 

3% 

PhD 

3% 

TENURE  IS  on  the  rise,  offering  further 
evidence  that  the  security  leadership 
position  is  becoming  more  stable  and 
mature.  And  perhaps,  just  perhaps,  that 
the  “fall  guy  syndrome,”  in  which  CSOs 
served  as  handy  scapegoats,  regardless 
of  who  accepted  a  particular  business 
risk,  is  receding. 

How  long  have  you  been  in 


your  current  position? 

Less  than  one  year  8% 

Between  one  year  and  two  years  13% 

Between  two  and  three  years  20% 

Between  three  and  five  years  21% 

Between  five  and  10  years  23% 

More  than  10  years  16% 


(Numbers  do  not  total  100%  due  to  rounding.) 


WHILE  I.T.  remains  a  common  back¬ 
ground  for  survey  respondents  (in  all 
likelihood  indicating  that  the  title  CSO 
is  still  held  by  information-security-only 
leaders  in  a  lot  of  companies),  a  wide  vari¬ 
ety  of  other  experiences  shape  the  secu¬ 
rity  function. 


What  is  your  background? 
(Multiple  responses  possible.) 


Information  systems  58% 

Business  operations  (sales,  admin,  etc.)  24% 
Military  18% 

Physical  security  18% 

Audit  16% 

Law  enforcement  16% 

Legal  4% 

Other  13% 


Changing  World, 
Changing  Job 

ORG  CHARTS  aside,  here’s  direct 
and  resounding  indication  that  the 
corporate  world  has  awakened  to  risk 
management. 

In  the  past  12  months,  has 
your  organization’s  leadership 
placed  more,  less  or  the  same 
value  on  risk  management? 

More  value  62% 

No  change  32% 

Less  value  6% 


AND  THERE’S  one  likely  reason  for  risk 
management’s  greater  value:  more  laws. 
While  it’s  been  a  quiet  year  (relatively)  for 
new  federal  laws,  companies  still  face  an 
expanding  list  of  state  disclosure  laws, 
new  PCI  application  security  require¬ 
ments,  and  rolling  deadlines  such  as  the 
FACT  Act’s  Red  Flag  Rules. 

In  the  past  12  months,  has  the 
amount  of  time  you  spend  on 
regulatory  compliance  increased, 
decreased  or  stayed  the  same? 

Increased  59% 

Remained  the  same  40% 

Decreased  2% 

(Numbers  do  not  total  100%  due  to  rounding.) 


Measured 


The  “State  of  the  CSO  2008”  survey  shows  growth  on 
almost  every  front  in  the  battle  to  ingrain  security  and 
risk  management  into  every  business.  We  heard  from 
senior  leaders  on  everything  from  organizational  charts 
and  strategic  priorities  to  daily  duties. 

Let’s  dive  into  the  key  findings: 
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ORGANIZATIONAL  CONVERGENCE 
of  physical  and  IT  security  has  been  one 
attempt  to  provide  clearer  oversight  into 
risk.  Detractors  of  this  idea  are  holding 
steady;  negative  responses  totaled  44  per¬ 
cent  this  year,  which  is  exactly  the  same 
result  obtained  in  2006. 

In  your  opinion,  should 
information  and  physical 
security  groups  operate  as  a 
single  combined  department? 

2008 


Always  32% 

In  my  industry,  yes  23% 

Not  in  my  industry  35% 

Never  9% 


(Numbers  do  not  total  100%  due  to  rounding.) 


Weak  Points 

MANAGEMENT’S  UNDERSTAND¬ 
ING  of  security  is  rated  reasonably  high; 
ratings  for  the  general  workforce  suggest 
that  employee  regard  for  security  remains 
(as  always)  the  key  area  for  improvement. 

Indicate  how  strongly  you  agree 
or  disagree  with  the  following 
statements,  using  a  scale  of  1  to 
5  (5  meaning  strongly  agree): 

MEAN  SCORE 


Senior  management  has  established 
a  security  policy  and  auditing  process  3.8 

Senior  management  views  the  security 
leader’s  role  as  strategic  and  permanent  3.7 

Security  is  viewed  as  essential  to  business, 
as  opposed  to  an  overhead  cost  3.6 

Security  considerations  are  a  routine 

part  of  your  company’s  business  process  3.6 


All  managers  understand  their  roles 

and  responsibilities  with  regard  to  security  3.1 

All  employees  receive  training  in  all 

security  policy  topics  3.6 

All  employees  are  trained  in  the  sanctions 
and  consequences  of  a  security  breach  3.4 

All  employees  consider  security  to  be 

part  of  their  everyday  responsibilities  3.1 


Satisfaction  and 
Confidence 

LAST,  HERE  are  a  few  points  of  interest 
from  a  new  set  of  questions  in  the  survey. 

Overall,  CSOs  love  their  jobs  and 
confirm  their  extremely  high  confidence 
that  risk  management  will  gain  further 
recognition  as  an  important  business 
discipline.  That’s  a  great  sign. 

Relative  to  the  those  high  marks, 
respondents  are  somewhat  less  content 
with  the  quality  and  relevance  of  the 
security  products  and  services  they  are 
offered. 

Dramatically  lower  is  their  regard 
for  national  security  policy  and  for  law 
enforcement’s  ability  to  address  elec¬ 
tronic  crime  issues. 

What  conclusion  might  one  draw 
from  connecting  these  dots?  For  years 
we’ve  been  hearing  (and  repeating)  the 
old  saw  about  the  vast  majority  of  the 
United  States’  critical  infrastructure 
being  owned  and  operated  by  private 
industry.  This  chestnut  is  usually  rolled 
out  in  an  attempt  to  goad  the  private  sec¬ 
tor  into  more  enlightened  and  proactive 
security  investment.  But  if  these  sur¬ 
vey  results  are  to  be  believed— and  it’s 
a  reasonable  assumption  that  about  90 
percent  of  respondents  are  in  the  private 
sector— the  commercial  world  feels  that 


it’s  doing  quite  well  at  security  and  the 
problem  lies  in  the  public  sector. 

Rate  your  satisfaction  with  the 
following,  on  a  scale  of  1  to  5 
(5  being  highly  satisfied): 

MEAN  SCORE 


Your  job  overall  4.0 

Your  organization’s  acceptance  of/ 

support  for  security  3.7 

The  quality  and  relevance  of 

security  standards  and  guidelines  3.6 

The  quality  and  relevance  of 

products  offered  by  security  vendors  3.4 

The  quality  and  relevance  of 

services  offered  by  security  vendors  3.3 

National  policy  regarding  security  3.0 


Rate  your  confidence  in  the 
following,  on  a  scale  of  1  to  5 
(5  being  highly  confident): 

MEAN  SCORE 


Continued  growth  of  recognition 

of  security  as  a  business  function  4.0 

Short-term  viability  of  the  Internet 

as  a  business  channel  3.9 

Long-term  viability  of  the  Internet 

as  a  business  channel  3.9 

Your  ability  to  secure  your  company’s 
assets,  given  current  resources  3.6 

Law  enforcement’s  capabilities  to 

stop  and  prosecute  electronic  crime  2.6 


Derek  Slater  is  the  Editor  in  Chief  of  CSO 
and  can  be  reached  at  dslater@cxo.com. 


Overall,  CSOs  love 
their  jobs  and  confirm 
their  extremely  Ipgh 
confidence  that#nsk. 
management  will  gam 
further  recognition  as 
an  important  business 
discipline. 
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EXCLUSIVE 


SURVEY 


The  strands  that  weave  together  to  form  the  fabric  of  a  satisfying 
career  are  often  rich  and  varied.  Even  threads  that  appear  out  of  place  join 
to  form  a  cohesive  tapestry.  This  is  especially  true  in  security,  which  (despite 
its  ancient  roots)  is,  in  many  respects,  a  new  field.  Some  CSOs  arrive  at 
their  posts  after  following  educational  paths  or  early  work  experiences  that 
appear  to  contrast  with  their  current  profession.  Some  pursue  multiple 
certifications  or  complementary 


degrees  to  build  their  knowledge. 
And  this  development  of  multiple 
areas  of  expertise  can  turbocharge 
a  security  professional. 

Marc  Fidanza  is  a  good  example 
of  the  phenomenon.  Fidanza 
earned  a  degree  in  business  and 
accounting  as  well  as  a  CPA  before 
he  got  involved  in  security-almost 


To  excel  in  enterprise  security,  it 
helps  to  know  about  more  than 
security.  Four  professionals 
trace  their  journey  toward  a 
well-rounded  skill  set. 
By  Lauren  Gibbons  Paul 


by  accident-in  the  early  days  of  the  profes¬ 
sion.  Now  director  of  security  for  Takeda 
Pharmaceuticals  North  America  in  Chicago, 
he  worked  in  internal  audit  for  American 
Airlines  right  out  of  college.  When  the 
airline’s  audit  division  was  broken  up  into 
different  groups,  Fidanza  found  himself 
working  on  fraud  cases  involving  frequent 
flyer  miles.  That  was  the  beginning  of  his 
love  affair  with  security. 

“It  worked  well  because  they  had  a  gap 
on  their  team  from  a  financial  accounting 
standpoint.  That  was  a  skill  set  they  didn’t 
have,”  he  says.  “I  was  given  the  opportunity 
to  demonstrate  my  value.  [Having  the  CPA] 
definitely  opened  some  doors  for  me  to  be 
placed  on  the  security  staff  permanently.” 
But  the  biggest  benefit  of  his  background  is 
built-in  credibility  with  the  people  to  whom 
he  has  presented  plans  or  budgets.  “They 
are  typically  very  savvy  people  so  it  has 
helped  me  articulate  the  security  value 
proposition,”  he  says. 


Illustration  by  Brian  Stauffer 
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EDUCATION  AND  CERTIFICATION 


CISSP,  CISA  and  CPP  you  already  know.  But  what  nonsecurity 
certifications  might  broaden  your  skills?  Here  are  three  examples: 


Certification 

Offered  By 

Description 

CPA  (Certified  Public 

Accountant) 

American  Institute  of  Certified 
Public  Accountants  (AICPA) 

Finance  and  accounting 

PMP  (Project  Management 
Professional) 

Project  Management  institute 
(PMI) 

Project  management  skills 

CIPP  (Certified  Information 

International  Association  of 

Expertise  with  U.S.  and  interna¬ 

Privacy  Professional) 

Privacy  Professionals  (IAPP) 

tional  privacy  laws 

Because  the  field  is  evolving  and  widen¬ 
ing  in  scope,  having  a  diverse  background— 
whether  educational  orexperiential— stands 
a  CSO  in  good  stead.  The  dizzying  array  of 
risks  today  demands  a  holistic  approach  to 
security,  and  that  meshes  well  with  a  CSO 
who  has  wide-ranging  educational  or  pro¬ 
fessional  experience. 

MBAs  Need  Apply 

DAVID  KENT,  FOR  EXAMPLE,  aspired 
to  be  chief  of  police  in  a  small  town  like  the 
one  in  which  he  grew  up,  so  he  earned  an 
undergraduate  degree  in  criminal  justice. 
Upon  graduation,  he  found  there  were  not 
many  places  that  needed  a  sheriff.  Work¬ 
ing  for  a  small  defense  contractor  in  the  late 
1980s,  he  started  to  develop  an  interest  in 
information  security. 

“It  was  a  nascent  field  at  the  time,”  says 
Kent,  currently  vice  president  of  security  for 
$3  billion  pharmaceutical  giant  Genzyme  in 
Cambridge,  Mass.  He  worked  in  other  roles, 
including  a  multiyear  stint  at  Bolt,  Beranek 
and  Newman  at  the  beginning  of  the  Inter¬ 
net  era,  before  he  decided  he  needed  better 
grounding  in  business. 

“The  only  way  you  can  apply  the  disci¬ 
pline  of  security  is  to  fully  understand  the 
environment.  I  had  to  go  learn  business,” 
says  Kent.  Now,  with  a  graduate  degree  in 
business  management  under  his  belt,  Kent 
frames  proposed  solutions  in  the  language 
of  business,  underpinned  by  an  under¬ 
standing  of  the  unique  challenges  of  today’s 
pharmaceutical  industry. 

He  believes  having  a  deeper  knowledge 
of  business  is  critical  to  CSOs,  who  now 
must  be  aware  of  the  interrelated  nature  of 
risk.  “It  is  convenient  to  divide  the  world 
into  information  security  and  physical  secu¬ 
rity  and  supply  chain  security  and  whatever 
else,  but  you  have  to  protect  the  enterprise 
by  taking  the  whole  view,”  says  Kent. 

Tim  Williams’s  path  in  life  is  strikingly 
similar  to  Kent’s.  Global  director  of  security 
for  $44.9  billion  manufacturer  Caterpillar, 
Williams  had  his  eye  on  a  career  in  public 
law  enforcement.  After  earning  an  under¬ 
graduate  degree  in  criminology,  however, 
he  went  to  work  for  Procter  &  Gamble. 
There,  he  got  in-the-trenehes  training  on 
how  things  were  done  at  one  of  the  world’s 
top-performing  companies. 

“I  consider  it  a  gift  that  I  got  my  start  at 
such  a  great  company,”  says  Williams,  who 


is  also  president  of  ASIS  International,  the 
association  for  security  professionals.  That 
early  experience  convinced  Williams  to  go 
for  his  MBA.  This  took  several  years  due 
to  a  heavy  international  travel  schedule  at 
Boise-Cascade  and  Nortel  Networks. 

The  long  hours  studying  at  night  and  on 
planes  were  worth  it  in  the  end,  he  says.  “I 
knew  that  [the  MBAJ  would  give  me  a  bet¬ 
ter  basis  for  management-level  positions 
regardless  of  what  track  I  took.”  Indeed, 
when  Caterpillar  came  knocking,  he  was 
able  to  take  a  seat  at  the  table  with  the  other 
top  executives.  There  are  other  ways  to 
develop  broader  business  perspective  than 
getting  an  MBA,  but  it  is  clearly  a  sound 
credential  for  CSOs— one  that  gamers  auto¬ 
matic  respect  from  business  leaders. 

Not  for  the  Lazy 

CERTIFICATIONS  ARE  ANOTHER  ave¬ 
nue  to  attaining  diverse  qualifications  to 
enrich  your  career,  especially  for  those  just 
starting  out.  As  with  degrees  while  work¬ 
ing,  earning  certifications  can  require  a  lot 
of  self-discipline,  not  to  mention  an  autodi- 
dactic  nature.  Chad  McDonald  spent  more 
than  one  year  of  his  life  earning  three  cer¬ 
tifications:  Certified  Information  Systems 
Security  Professional  (CISSP),  Certified 
Information  Systems  Auditor  (CISA)  and 
Project  Management  Professional  (PMP). 

McDonald  was  thrust  into  the  world  of 
security  a  few  years  back  when  he  was  work¬ 
ing  in  computer  support  at  Georgia  College 
&  State  University  in  Milledgeville.  Two  stu¬ 
dents  flooded  the  college’s  mail  server  with 
malicious  messages,  shutting  the  system 
down  for  several  hours.  (The  students  were 
later  prosecuted;  one  was  deported.)  The 
school’s  IT  staff  had  to  scramble  to  contain 
the  damage  and  McDonald  was  called  upon 
to  help. 

“That  incident  opened  my  eyes  to  the  fact 
that  we  were  at  risk  and  to  what  we  could 


do  to  mitigate  those  risks,”  says  McDonald. 
Soon,  he  found  himself  acting  as  the  col¬ 
lege’s  one-man  security  shop.  On  his  own 
accord— out  of  his  own  pocket  and  without 
taking  a  prep  course— he  started  spending 
his  weekends  studying  for  the  CISSP.  After 
a  full  year,  he  took  the  test  and  passed. 

“It  was  tough.  But  I  got  really  interested  in 
all  aspects  of  security.  I  transformed  myself,” 
says  McDonald.  He  then  knocked  off  the 
CISA  and  the  PMP  in  another  few  months. 

The  certifications  are  more  than  so 
many  pieces  of  paper  to  McDonald.  For  one 
thing,  They  made  him  a  much  more  attrac¬ 
tive  candidate  when  he  was  interviewing 
for  a  position  as  CISO  for  Georgia  College. 

“They  were  looking  for  someone  who 
had  not  only  experience  but  credentials 
behind  their  name.  [The  certifications] 
show  that  I  do  have  the  knowledge.  They 
were  a  door  opener,”  he  says.  Even  better,  he 
will  receive  an  annual  bonus  for  each  certi¬ 
fication,  which  has,  no  doubt,  sweetened 
the  memory  of  those  long  hours  studying. 

The  Long  View 

ALL  OF  THE  security  professionals  inter¬ 
viewed  here  strongly  endorse  the  idea  of 
obtaining  multidisciplinary  expertise  as 
a  way  to  further  one’s  career.  Kent  of  Gen¬ 
zyme  encourages  executives  working  in 
security— including  those  on  his  own  staff— 
to  fill  the  gaps  in  their  knowledge  by  obtain¬ 
ing  education  in  complementary  areas. 

“We  try  to  have  all  the  members  of  our 
team  take  a  multidisciplinary  view  of  secu¬ 
rity.  The  woman  who  runs  our  product 
security  just  got  her  master’s  in  informa¬ 
tion  security.  That  wouldn’t  seem  to  be  tied 
to  her  role  in  global  product  security,  but  it 
gives  her  great  overlap  of  knowledge.”  ■ 


Lauren  Gibbons  Paul  is  a  freelance  writer  based 
outside  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 
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6th  Annual 

EXECUTIVE  WOMEN’S 

p^ni  ||IJ|  Information  Security,  Risk 
rUKUIVI  Management  &  Privacy 


September  16-18, 2008  |  Sheraton  Wild  Horse  Pass  |  Chandler,  AZ 


WOMEN  OF  INFLUENCE 
AWARDS 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 
Winners  will  be  announced  at  an  awards 
ceremony  during  the  Executive  Women’s 
Forum. 


Building  a  Holistic  Risk  Approach: 
The  Power  of  Leveraging 

Hosted  by  Alta  Associates,  Inc.  the  6th  Annual  Executive  Women’s  Forum 
(EWF)  brings  together  more  than  200  women  of  influence,  power  and 
intelligence  to  explore  the  challenges  of  building  a  holistic  risk  approach. 

Learn  how  industry  experts  are  leveraging  their  technology,  networks, 
and  organizations  to  achieve  success. 

The  EWF  provides  a  unique  atmosphere  that  fosters  the  development  of 


creative  ideas,  innovative  solutions  and  deep  relationships.  Join  your  peers 
in  gaining  practical  knowledge  of  best  practices. 

AGENDA 


NOMINATION  FORM  AVAILABLE  AT: 
h  ttp://public.  cxo.  com/awards/ 
W0l_2008_application.html 


>  Keynote:  Leveraging  Your  Unique 
Strengths,  Val  Rahmani,  General 
Manager  IBM  ISS,  Security  &  Privacy 

>  Convergence:  The  Good,  the  Bad  & 
the  Ugly 

>  Emerging  Technologies  and 
Emerging  Workforces 

>  Managing  Risk  in  a  Flatter  World 


>  Protecting  Privacy:  Leveraging 
Relationships  Internally  and  Externally 

>  Board  of  Directors  Boot  Camp 
with  Susan  Stautberg 

>  International  Threat  Landscape 
Workshop 

>  Speaker:  Dale  Atkins; 

Author  of  “Sanity  Savers” 


Nominations  must  be  submitted  by 
August  1, 2008. 


Media  sponsor  &  awards  co-presenter: 

CSO 

BUSINESS  RISK  LEADERSHIP 


www.infosecuritywomen.com 


For  more  information  on  the  EWF  or  to  register, 
please  visit: 


Attendees  from  the  2007  Executive  Women's  Forum. 


Forum  host  &  awards  co-presenter: 


Diamond  Sponsors: 

•  • 

ini 

Information  Networking  Institute 

Ca  megie  Mel  Ion 

Microsoft 


slid 


CSO  has  been  harping 
on  it  for  six  years: 
Communication  skills 
go  nowhere  without 
an  understanding  of 
business  basics.  Here’s 
a  refresher  on  speaking 
the  language  your 
company’s  leaders 
can  follow. 
By  William  Brandel 


It  never  fails.  Ask  secu¬ 
rity  executives  to  name  the 
biggest  boon  or  detriment 
to  their  careers,  and  they’ll 
respond  with  the  same 
answer:  communication 
skills  (see  the  box  on  Page 
34).  This  isn’t  news.  But  what 
does  “communication  skills” 
really  mean,  particularly 
when  seen  in  the  context  of  a 
security  leader’s  success? 

Perhaps  the  answer  can 
best  be  gleaned  from  a  close 
look  at  an  actual  communi¬ 
cation  breakdown.  Before 
Russell  Walker  became  the 
VP  of  information  security 
at  Starbucks  in  Seattle,  he 
was  a  security  consultant,  a 
role  that  tends  to  provide  an 
unvarnished  view  into  corpo¬ 
rate  dysfunction. 
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COMMUNICATION 


While  working  with  an  East  Coast 
financial  firm,  he  witnessed  the  not-so-rare 
occasion  where  a  CSO  struggled  mightily 
and  repeatedly  failed  in  his  efforts  to  sell  a 
new  Internet  security  solution  to  manage¬ 
ment.  “His  message  to  management  was, 
We’re  vulnerable.”  Walker  says.  “The  audi¬ 
ence  was  thinking,  What’s  vulnerability? 
What  does  this  have  to  do  with  me?” 

What  they  were  saying,  Walker  says, 
was,  Show  me  how  to  quantify  my  exposure 
and  calculate  the  risk  to  my  business.  So, 
instead  of  trying  to  sell  the  project  through 
yet  another  presentation,  the  CSO  tried  a 
different  format:  a  live  demonstration. 

“We  demonstrated  how  easy  it  was  to 
break  into  the  site  and  get  personal  info  on 
the  executives  in  the  room,”  Walker  says. 
“We  showed  we  could  get  their  salary,  their 
40i(k)  contributions  and  where  they  lived. 
Suddenly,  the  issue  of  personal  identifica¬ 
tion  and  vulnerability  resonated  with  them. 
It  became  personal.” 

This  anecdote  helps  underscore  the 
various  components  of  communication 
for  the  security  executive.  It  was  based  on 
a  format  that  conveyed  the  message.  The 
demonstration  used  just  enough  informa¬ 
tion  to  get  attention  but  not  so  much  that  it 
embarrassed  or  put  off  anyone  in  the  room. 
In  short,  it  was  sensitive  to  its  audience. 

In  other  words,  you  can  write,  speak 
and  present  until  you’re  blue  in  the  face, 
but  unless  you  know  how  to  reach  your 
audience,  you  lack  the  communication 
skills  needed  to  help  provide  adequate 
security  to  your  company  and  be  part  of 
its  success.  In  other  words,  you’re  really 
not  communicating  until  the  other 
party— most  notably,  the  holders  of  the 
budgetary  purse  strings— can  actually 
understand  you. 

Sensitivity  to  the  audience  and  its 
context  is  a  cornerstone  of  excellent 
communication.  This  is  especially 
important  for  executives  who  function 
in  widely  distributed  business  opera¬ 
tions.  Just  as  the  security  strategy  for 
an  East  Coast  financial  services  concern 
will  be  far  different  from  that  for  a  West 
Coast  entertainment  company,  so  is  the 
business  culture  that  permeates  these 
organizations.  At  the  same  time,  what  is 
an  acceptable  tone  for  one  region  within 
the  U.S.,  or  the  world,  may  be  offensive 
or  unacceptable  in  another. 


One  CSO  cites  an  example  where  a  sim¬ 
ple,  to-the-point  message  about  compliance 
at  a  finance  company  out  of  the  New  York 
City  headquarters  was  received  as  a  rep¬ 
rimand  on  the  West  Coast.  The  result  was 
that  the  company  spent  more  time  focusing 
on  the  insensitive  tone  of  the  message  than 
on  its  contents. 

The  Art  of  Clarity 

THE  FINE  ART  of  communication  calls 
for  one  person  to  clearly  convey  a  concept 
to  another.  This  involves  understanding 
what  people  need  to  know,  what  the  sub¬ 
stance  of  the  message  should  be,  and  how 
and  when  it  should  be  conveyed.  To  do  this 
effectively,  the  communicator  must  be  cog¬ 
nizant  of  the  context  of  the  necessary  com¬ 
munication  and  be  highly  sensitive  to  the 
information  needs  and  mode  of  reception 
of  their  audience.  For  a  person  focused  on 
physical  break-ins,  phishing  attacks  and 
intellectual  property  theft,  this  basis  for 
communication  might  seem  a  bit  low  on  the 
priority  list.  However,  for  those  who  want 
their  security  initiatives  to  be  understood, 
valued,  approved  and  abided  by,  it  is  the  key 
to  their  survival. 

“Companies  are  no  longer  willing  to 
forgive  a  lack  of  excellent  communication 
skills,”  says  Jeff  Snyder,  president  of  Secu- 


Always  Number  One 

“STATE  OF  THE  CSO  2008”  respondents 
peg  communication  as  the  most  critical 
leadership  skill. 

What  personal  skills  or  attributes 
are  most  pivotal  to  your  success 
as  a  security  leader?  (Multiple 


responses  possible) 

Ability  to  communicate  effectively  63% 

Strategic  thinking  and  planning  50% 

Understanding  business  processes 

and  operations  47% 

Understanding  strategy  in  your  industry  35% 

Ability  to  lead  and  motivate  staff  30% 

Technical  knowledge/skills  29% 

Ability  to  lead  during  a  crisis  20% 

Based  on  290  responses. 


rityRecruiter.com,  Snyder  says  that  unlike 
five  to  six  years  ago  when  companies  were 
scrambling  to  gain  a  new  security  footing, 
today  they  are  no  longer  willing  to  com¬ 
promise  on  effective  communication  skills 
or  on  a  strong  security  background.  “They 
want  it  all,”  Snyder  says.  “The  cake,  the  ice 
cream  and  whipping  cream  on  top.” 

In  short,  when  a  company  says  it’s  look¬ 
ing  for  a  security  executive,  it’s  seeking 
someone  with  the  same  business  skills  as 
any  other  departmental  leader  in  the  orga¬ 
nization,  who  also  just  happens  to  know 
how  to  prevent,  identify  and  thwart  threats 
to  that  company  and  its  employees. 

The  fact  that  expectations  are  being 
raised  might  put  more  pressure  on  security 
executives  to  be  well-rounded  in  their  skill 
set,  but  it’s  the  price  for  having  arrived,  says 
Paul  Argenti,  professor  of  corporate  com¬ 
munication  at  the  Tuck  School  of  Business 
at  Dartmouth  College,  in  Hanover,  N.H.  In 
the  1990s,  the  emphasis  for  security  execu¬ 
tives  was  a  more  technical  one,  he  said. 
Then,  after  9/11,  companies  placed  more 
emphasis  on  physical  security. 

Argenti  says  that  many  security  execu¬ 
tives  today  are  discovering  that  “the  skills 
that  once  made  you  successful  as  a  security 
professional  may  have  had  very  little  to  do 
with  communication.”  But  that’s  no  longer 
the  case.  Communication  skills  must  be 
“embraced  as  an  added  value  throughout 
the  organization.” 

The  role  of  the  security  executive 
is  following  the  natural  progression  of 
maturity  that  other  disciplines,  such 
as  information  technology  and  human 
resources,  have  followed,  Argenti  says. 
The  real  and  perceived  threats  to  a  com¬ 
pany’s  assets  have  raised  the  visibility 
of  security  in  many  companies.  Senior 
management  have  responded  by  hiring 
security  expertise  and  investing  in  secu¬ 
rity  systems.  After  elevating  security  to 
a  strategic  function,  most  organizations 
have  naturally  attempted  to  integrate  it 
into  the  wider  organization.  As  a  result, 
people  who  came  from  a  law-enforce¬ 
ment  or  military  background  often  have 
found  themselves  in  the  midst  of  corpo¬ 
rate  restructuring.  And  it  has  been  in 
this  environment,  where  communica¬ 
tion  is  perhaps  the  most  critical  tool  for 
survival,  where  security  professionals 
and  their  employers  have  discovered 
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“Management 
today  expects  a 
strong  security 
system  as  a  given,” 
Hayes,  says*  “The 
Question  is.  What 
is  a  reasonable 
amount  of  risk? 

Cai|  you  add  value 
while  you  provide 
security?” 

-BOB  HAYES,  MANAGING  DIRECTOR  OF 
THE  SECURITY  EXECUTIVE  COUNCIL 


whether  the  right  level  of  communication 
skills  are  in  place. 

Mentoring  and 
Managing 

WHILE  COMMUNICATION  IS  a  univer¬ 
sal  human  experience,  the  language  of  secu¬ 
rity  is  not  one  that  is  universally  shared  or 
understood.  This  nomenclature  and  termi¬ 
nology  may  be  immediately  recognizable 
between  two  security  professionals.  How¬ 
ever,  it  can  be  indistinguishable  to  down¬ 
right  frightening  to  people  who  speak  the 
language  of  business,  says  Howard  Schmidt, 
former  White  House  cybersecurity  adviser. 

Schmidt  started  his  career  in  law 
enforcement  and  had  benefited  from  doing 
public  speaking  in  performing  that  role. 
However,  even  with  that  background,  he 
found  that  as  he  made  the  transition  into  the 
business  arena  his  communication  skills 
still  fell  short.  Schmidt  was  fortunate.  A 
supervisor  not  only  made  him  aware  of  this 
but  helped  mentor  him  early  in  his  career. 

“He  said,  ‘You  need  to  develop  a  dialogue 
on  the  business  of  security,  and  not  just 
security,’”  Schmidt  says.  Security  people 
tend  to  focus  on  what  could  go  wrong  and 
how  to  avoid  it.  This  is  often  not  only  off 
the  radar  for  many  businesspeople,  but  it 
is  often  demoralizing  and  can  tend  to  get 


tuned  out.  “When  you  just  talk  about  bad 
things,  and  bad  things  don’t  happen,  you 
just  lose  your  credibility.” 

The  major  struggle  for  many  security 
executives  is  to  demonstrate  that  they 
understand  that  they  are  part  of  the  busi¬ 
ness  equation,  says  Bob  Hayes,  managing 
director  of  the  Security  Executive  Council, 
based  in  Washington,  D.C.  “If  communica¬ 
tion  is  cited  as  an  issue,  it  is  often  because 
of  the  failure  to  demonstrate  alignment 
with  their  company’s  strategic  objectives,” 
Hayes  says. 

“Management  today  expects  a  strong 
security  system  as  a  given,”  Hayes  says. 
“The  question  is.  What  is  a  reasonable 
amount  of  risk?  Can  you  add  value  while 
you  provide  security?” 

As  for  which  skills  a  security  executive 
should  be  proficient  in,  the  answer  is  simply: 
All  of  them.  Strong  writing  skills  are  needed 
to  communicate  in  a  global  environment. 
Speaking  skills— knowing  not  only  what 
to  say  but  how  to  say  it— are  critical  as  well. 
This  is  especially  important  when  you’re 
interacting  with  other  executives,  who  don’t 
have  the  luxury  of  time  to  figure  out  your 
message.  Presentation  skills  are  extremely 
important,  to  know  how  to  make  the  point 
in  front  of  a  board  or  management  team. 

Like  any  skill  set,  security  executives 


have  to  play  to  their  strengths  but  work  on 
their  weaknesses.  While  business  schools 
are  now  offering  communication  seminars, 
security  executives  should  not  hesitate  to 
take  Dale  Carnegie  courses  or  join  groups 
like  Toastmasters  to  help  hone  their  public 
speaking  skills,  says  recruitment  manager 
Snyder. 

Perhaps  the  single  most  important 
communication  mission  for  the  security 
leader  is  to  effectively  articulate  the  value 
proposition  of  the  security  discipline,  and 
its  inherent  programs,  to  the  audience  it  is 
intended  to  serve  and  protect.  In  this  sense, 
security  executives  need  to  be  more  master¬ 
ful  in  communication  because  they  address 
a  world  filled  with  evolving  threats  and 
compliance  requirements.  But  it  must  be 
done  so  in  a  way  that  encourages  adoption 
of  program  practices  and  is  seen  as  aligned 
with  business  objectives. 

“It’s  our  job  to  get  everyone  on  the  same 
page,  says  Starbucks’  Walker.  “We  do  that 
by  building  awareness.  We  do  that  by 
repeating  the  message  over  and  over.  We 
do  that  by  using  whatever  tools  we  need  to 
reach  our  audience.”  ■ 


William  Brandel  is  a  freelance  writer  based 
outside  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 
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You  need  to  find  and  use  the  right  financial 
metrics  to  communicate  security’s  value  to  your 
company.  Here  are  four.  By  Michael  Fitzgerald 


Financial  metrics  have  bedeviled  CSOs  from  the  start. 
How  do  you  justify  spending  on  something  that  isn’t  designed  to 
increase  the  bottom  line?  The  fear  factor  exists,  and  yet  explain¬ 
ing  why  bulletproof  glass  is  worth  more  than  Plexiglas  still 
requires  numbers.  With  a  recession  hovering  over  the  United 
States  like  some  black  helicopter,  there  will  be  still  more  pressure 
to  measure  what  security  spending  brings  to  a  company.  One  big 
challenge  is  that  the  data  rarely  is  simple  to  pull  together.  And 
even  though  there  are  now  tools  like  Agiliance,  which  makes  an 
ROI  calculator  for  infor¬ 


mation  security  expendi¬ 
tures,  the  devil  is  still  in 
the  data. 

Here  are  four  well- 
known  metrics  that,  if  used 
properly,  can  help  put  the 
impact  of  security  spend¬ 
ing  in  the  financial  per¬ 
spective  companies  need. 


ROI  (Return  on  Investment) 

It’s  a  classic  business  expectation  that  if  you  invest  money  in 
something,  you  can  measure  the  return  on  your  investment  by 
its  impact  on  the  bottom  line.  But  understanding  the  value  of 
security  spending  presents  challenges,  since  the  tension  that 
exists  in  most  branches  of  IT  is  that  investment  does  not  usu¬ 
ally  lead  directly  to  profits. 

For  security  spending,  the  problem  is  bigger:  If  investing  in 
security  works,  nothing  happens.  But  what  if  nothing  would 
have  happened  anyway? 

“[The  trouble  with]  trying  to  calculate  ROI  on  security  tools 
is  that  they  destroy  the  proof  of  their  effectiveness  simply 
by  doing  their  job,”  says  Ross  Leo,  CEO  of  Alliance  Group 
Research,  a  security  consultancy. 
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FINANCIAL  TOOLS 


So  ROI  has  become  a  somewhat  loose 
measure  of  how  long  it  will  take  to  recoup 
the  cost  of  investing  in  security.  It  is  not  a 
perfect  measure,  which  may  be  why  its 
usage  appears  to  be  dropping. 

Some  42  percent  of  organizations  polled 
in  the  2007  Computer  Security  Institute 
Computer  Crime  and  Security  Survey  said 
they  used  ROI  to  measure  their  information 
security  investments.  That  was  up  from  39 
percent  the  year  before,  but  well  below  the 
55  percent  who  reported  using  it  in  2004. 
Other  common  measures:  21  percent  of 
respondents  said  they  used  internal  rate  of 
return  measures,  and  19  percent  used  net 
present  value. 

ROI  can  be  straightforward  for  some 
aspects  of  physical  security.  Craig  Cham¬ 
bers,  CEO  of  Cernium,  which  makes  soft¬ 
ware  that  analyzes  videotape,  says  at  a 
minimum,  his  firm’s  tools  mean  companies 
can  hire  fewer  security  guards,  creating 
obvious  savings  on  salary  and  benefits. 

But  it’s  rarely  so  straightforward  to  cal¬ 
culate  savings.  Some  of  the  problems  with 
using  ROI: 

Strict  adherence  to  ROI  may  cause  com¬ 
panies  to  pick  the  wrong  technology  to  save 
money.  For  instance,  a  firm  might  find  that 
inexpensive  surveillance  cameras  are  not 
as  effective  as  ones  that  include  built-in 
analytical  tools,  but  a  strict  focus  on  ROI 
will  seem  to  show  a  better  payback  for  an 
inferior  product,  says  Steve  Hunt,  a  secu¬ 
rity  consultant  in  Evanston,  Ill. 

“ROI  is  misleading  because  people  don’t 
understand  what  they’re  trying  to  accom¬ 
plish.  Look  at  the  benefit  you  want  first, 
then  the  ROI,”  Hunt  says. 

Security  costs  can  be  vague.  “It’s  not  like 
you  can  walk  into  your  local  shop  and  say 
I’d  like  two  pounds  of  security  and  a  half 
pound  of  infosec  on  top,”  says  Luke  McCo- 
noughey,  managing  partner  at  My  CSO  Net¬ 
work,  a  managed  security  firm  in  Chandler, 
Ariz.  McConoughey  says  potential  custom¬ 
ers  frequently  ask  him  what  their  return 
on  investment  will  be.  He  doesn’t  think 
ROI  numbers  work  well  in  security,  and  he 
tends  to  counter  with  a  discussion  of  their 
likely  losses  if  they  don’t  invest  in  security 
services.  Even  though  he  prefers  measur¬ 
ing  losses,  he  concedes  that  unless  a  firm 
has  recently  experienced  a  breach  of  some 
sort,  measuring  costs  becomes  an  exercise 
in  “throwing  darts  at  a  dartboard.” 


ROI  tends  to  be  easiest  to  calculate  after 
an  incident.  That’s  when  costs  tend  to  be 
clear.  Otherwise,  it’s  tough  to  quantify  the 
potential  around  losses,  says  Anthony 
Hernandez,  managing  director  of  the  infor¬ 
mation  risk  management  practice  at  Smart 
business  advisory  and  consulting  in  Devon, 
Pa.  He  notes,  for  instance,  that  it  was  dif¬ 
ficult  to  say  what  companies  would  get  in 
return  for  spending  on  HIPAA  compliance. 
Regulations  like  Sarbanes-Oxley  and  the 
more  recent  Payment  Card  Industry  (PCI) 
measures  held  clearer  benefits  because 
firms  would  be  heavily  penalized  for  not 
proving  compliance.  In  the  case  of  PCI,  he’s 
seeing  companies  receive  fines  of  $25,000  a 
month.  It’s  also  possible  to  measure  what 
breaches  will  cost,  thanks  in  part  to  inci¬ 
dents  like  those  at  TJX,  which  paid  $100 
million  in  fines  and  another  $156  million  to 
resolve  lawsuits.  It  would  be  harder  to  say 
whether  TJX  suffered  any  intangible  costs, 
like  loss  of  goodwill  (sales  actually  rose  in 
the  wake  of  the  breaches). 

Note  that  there’s  also  another  measure, 
ROSI  (return  on  security  investment), 
which  works  by  taking  the  expected  secu¬ 
rity  spending  and  subtracting  any  expected 
annual  loss  (see  ALE,  Page  39). 

TOO  (Total  Cost 
of  Ownership) 

AN  ALTERNATIVE  TO  ROI  is  to  figure 
the  total  cost  of  ownership  (TCO)  for  a 
security  investment.  The  measure  just  by 
its  nature  focuses  on  a  cost,  not  a  potential 
return,  which  meshes  well  with  security 
spending.  Kenneth  Tyminski,  the  former 
CISO  at  Prudential  Financial  and  now 
a  consultant  in  Havelock,  N.C.,  says  his 
firm  preferred  TCO  to  ROI  because  it  was 
obvious  that  for  something  like  antivirus, 
the  firm  had  to  adopt  the  technology,  but 
was  not  likely  to  see  a  financial  return 
for  the  investment.  So  looking  at  costs 
made  the  most  sense.  Tracking  TCO  also 
helps  in  practical  ways,  Tyminski  notes. 
“After  a  couple  of  years,”  he  says,  “the  cost 
of  operating  a  tool  or  piece  of  hardware 
can  be  a  lot  higher  than  just  buying  new 
equipment.” 

But  TCO  is  also  not  a  cut-and-dry  mea¬ 
sure.  While  the  purchase  cost  or  ongoing 
contract  costs  will  be  clear,  figuring  out  less- 
obvious  spending  is  harder.  How  much  will 
it  cost  to  install  a  product,  for  instance,  or 


“ALEs  are  just 
irresponsible, 
wild  guesses 
in  almost 
every  case 
when  it 
comes  to. 
information 
security” 

-STEVE  HUNT 

how  much  time  will  a  systems  adminis¬ 
trator  spend  managing  it?  Still,  working 
out  these  numbers  can  help  illustrate  how 
much  it  costs  to  roll  out  a  technology,  which 
is  often  more  expensive  than  buying  the 
technology  itself. 

For  Tyminski,  TCO  helped  him  justify 
buying  a  new  intrusion  prevention  sys¬ 
tem.  Using  maintenance  costs,  the  salary 
of  a  dedicated  staff  person  and  the  need 
for  frequent  and  time-intensive  upgrades, 
it  became  clear  that  the  old  system  had 
become  too  costly  to  operate.  So  “we  built 
a  business  case  to  say  we  had  to  buy  a  new 
technology,”  he  says. 

William  Bell,  director  of  security  at  EC 
Suite,  an  ISP  and  e-commerce  provider  in 
Tempe,  Ariz.,  says  he  uses  TCO  measure¬ 
ments  in  conjunction  with  expected  likely 
losses  (see  ALE,  Page  39)  to  help  justify 
expenses  on  security.  He  says  that  the  main 
challenge  with  TCO  is  “it’s  hard  to  know 
what  your  total  cost  of  ownership  is  before 
you  make  an  investment,  even  if  you  have 
an  evaluation  period.” 

Bell  will  measure  the  time  system 
administrators  need  to  spend  with  the 
product,  how  much  time  it  will  take  to 
install  or  migrate  to  a  software  package, 
what  the  product  itself  costs  (both  up  front 
and  for  maintenance  or  support)  and  how 
much  time  its  help  desk  will  spend  doing 
hand-holding. 

While  it’s  imprecise,  he  says  that  if  he 
can  give  management  a  good  sense  of  how 
much  a  security  issue  costs  the  firm  and 
how  much  it  will  spend  to  solve  the  prob¬ 
lem,  that’s  usually  enough  data  to  make  a 
good  decision  for  the  firm. 
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Thomas  Browning,  vice  president  of 
compliance  and  CSO  at  Allied  Barton  Secu¬ 
rity  Services,  says  he  uses  TCO  to  make 
decisions  on  things  like  whether  to  buy  or 
lease  cars  for  security  services  provided 
to  places  like  malls,  and  also  for  whether 
to  buy  weapons  or  have  the  client  pay  for 
weapons  on  contracts  that  require  them. 

“If  I  need  to  outsource  a  service,  say,  a 
database  for  a  compliance  initiative  I’m 
working  on,  I  have  to  ask  myself,  OK,  is  it 
cost-efficient  to  contract  out  or  should  I  just 
go  out  and  purchase?”  he  says. 

Marc  Shapiro,  senior  vice  president  of 
Group  4  Securicor,  the  parent  company  of 
Wackenhut,  says  the  firm  is  seeing  more 
CSOs  look  for  metrics,  primarily  TCO. 
“They’re  more  cognizant  of  the  fact  that 
they’re  under  scrutiny,  and  they  can’t  just 
arbitrarily  spend  the  money.” 

He  says  that  measuring  TCO  can  help 
firms  realize  just  what  they’re  spending, 
and  for  what.  Ideally,  he  likes  to  contrast 
those  with  the  potential  losses,  but  even 
in  the  physical  security  world,  annualized 
loss  estimates  “are  difficult  to  get,”  he  says. 

EVA  (Economic 
Value  Added) 

THE  BEST-KNOWN  VERSION  of  EVA  was 
developed  and  trademarked  by  Stem  Stew¬ 
art  and  offers  a  way  to  measure  financial 
performance  for  business  units.  It  was  not 
developed  for  information  security.  In  fact, 
it’s  meant  to  be  a  metric  that  shows  financial 
return,  which  may  be  why  it  was  the  least 
known  of  the  financial  metrics  tools  in  this 
round-up.  Still,  it  has  applications  in  IT,  in 
particular  as  a  way  to  examine  whether  a 
company  got  whatever  financial  returns  it 
expected  out  of  an  investment  in  security. 

“I’ve  seen  EVA  in  very  limited  exposure 
in  infosec,”  says  McConoughey,  noting  EVA 
usually  appears  in  support  of  purchasing  a 
security  service. 

To  use  an  EVA  in  a  practical  way,  one 
should  take  numbers  used  to  generate 
things  like  total  cost  of  ownership,  ROI  and 
the  annualized  loss  expectancy,  and  com¬ 
pare  them  to  actual  costs,  looking  at  factors 
like  what  it  would  cost  to  implement  and 
support  them. 

Alliance  Group  Research’s  Leo  prefers 
using  EVA  to  something  like  ROI.  In  part, 
that’s  because  firewalls  and  locks  don’t 
really  appreciate  in  value  after  they’re  pur¬ 


chased-they  aren’t  those  kinds  of  assets. 
Using  EVA  can  help  quantify  whether 
security  spending  increases  the  value  of 
a  company  by  measuring  what  it’s  worth 
for  a  company  to  avoid  things  like  security 
breaches.  The  latest  CSI  survey  showed 
that  the  average  security  breach  costs 
a  company  more  than  $350,000,  which 
is  more  than  double  2006’s  average  of 
$168,000.  While  these  numbers  repre¬ 
sent  averages,  they  can  help  to  show  what 
costs  companies  incur  for  not  using  secu¬ 
rity  services,  giving  a  sense  of  the  value  of 
security  spending. 

There’s  also  a  less  proprietary  EVA, 
earned  value  analysis.  That’s  from  the 
project  management  world  and  is  used  to 
look  at  budgeted  cost,  actual  costs  and  the 
value  of  the  work  performed.  That’s  the 
method  used  by  John  Linkous,  who  is  the 
governance,  risk  and  analysis  evangelist  at 
elQNetworks. 

Linkous  says  that  both  EVA  and  annual¬ 
ized  loss  expectancy  (ALE)  are  more  formal 
measures  than  either  TCO  or  ROI,  which 
he  calls  “a  little  more  voodoo  science.”  He 
says  that  the  other  problem  with  TCO  and 
ROI  is  that  they  are  often  used  to  justify 
decisions,  rather  than  inform  them.  While 
an  EVA  can  also  be  fudged,  he  says  that  it’s 
harder  to  do. 

ALE  (Annualized 
Loss  Expectancy) 

JUST  THE  ACRONYM  alone  should  make 
this  popular.  And  indeed,  for  many  CSOs, 
calculating  annualized  loss  expectancy 
provides  a  useful  measure  that  can  help  set 
spending  priorities  for  security.  ALEs,  for 
instance,  are  a  way  to  measure  the  likely 
impact  of  security  spending,  drawing  on 
existing  data  around  everything  from  lap¬ 
top  theft  to  security  breaches.  Some  orga¬ 
nizations  use  similar  measures,  such  as 
NIST’s  FIPS  (Federal  Information  Process¬ 
ing  Standard)  200.  The  aim  is  to  assess  spe¬ 
cific  assets,  then  put  a  number  to  the  risks 
they  attempt  to  counter. 

Jill  Knesek,  CSO  of  BT  Americas,  says 
she  has  stopped  using  ROI  and  TCO 
when  talking  to  her  CFO.  She  felt  that  the 
numbers  were  being  driven  by  ‘“Chicken 
Little’  kind  of  stuff,”  like  potential  natural 
disasters,  she  says.  More  useful  are  ALE 
estimates  based  on  the  company’s  histori¬ 
cal  data  on  incidents  and  related  customer 


loss,  brand  damage  and  potential  fines.  In 
fact,  BT  tracks  20  major  risks  on  an  ongo¬ 
ing  basis,  and  Knesek  uses  these  numbers 
to  build  a  risk  matrix  and  presents  that  to 
management,  framing  the  conversation  in 
terms  of  risk  exposure  and  risk  appetite. 

Knesek  acknowledges  that  even  with 
ALE  and  risk  matrices,  there  is  still  a  bit  of 
prophecy  to  the  numbers.  But  she  thinks 
that  overall,  it  works,  and  the  ability  to  pre¬ 
dict  risk  gets  better  with  each  year  of  data. 

The  trouble  is  that  ALEs  pale  for  some 
types  of  security.  Security  consultant  Hunt, 
for  instance,  warns  that  “ALEs  are  just  irre¬ 
sponsible,  wild  guesses  in  almost  every  case” 
when  it  comes  to  information  security. 

Yet  even  Hunt  concedes  that  for  some 
things,  you  can  figure  an  ALE.  For  instance, 
it’s  clear  what  it  costs  to  replace  a  laptop 
or  a  car,  and  actuarial  tables  clearly  show 
what  kind  of  loss  to  expect  from,  say,  earth¬ 
quakes.  Less  helpful  is  looking  at  the  ALE 
for  a  firewall.  You  know  that  if  you  don’t 
have  one,  “bad  things  are  going  to  happen,” 
says  Hunt. 

So  why  bother  calculating  an  ALE? 
Because  ALE,  used  over  time,  can  show 
that  you’re  getting  something  for  your  secu¬ 
rity  spending,  says  Bart  Lazar,  a  partner  at 
the  Chicago  law  firm  of  Seyfarth  Shaw. 

EC  Suite’s  Bell  says  that  for  specific 
risks  ALEs  works  reasonably  well,  using 
measures  like  predicted  rate  of  occurrence 
for  things  like  attacks  and  hardware  thefts. 
He  looks  at  the  actual  cost  as  well  as  oppor¬ 
tunity  costs  to  build  a  loss  expectancy  for  a 
year.  Then  he  uses  the  cost  of  that  potential 
loss  to  say,  “If  I’m  going  to  put  this  protec¬ 
tion  in  place,  how  much  am  I  willing  to 
spend  to  try  to  prevent  it  from  happening, 
or  to  decrease  my  rate  of  occurrences?” 

To  justify  adding  a  whitelisting  applica¬ 
tion,  Bell  collected  numbers  on  how  often  his 
staff  had  to  deal  with  cleaning  up  infected 
PCs,  how  much  it  cost  in  terms  of  staff  time 
or  even  needing  to  replace  machines  that 
were  hopelessly  infected.  Then  he  boiled 
it  down  to  “this  is  how  much  it’s  costing  us, 
and  this  is  how  much  we’re  going  to  spend 
to  fix  it.”  In  that  case,  he  got  approval  for  the 
whitelisting  application,  and  says  it  met  its 
projected  return  in  eight  months.  ■ 


Michael  Fitzgerald  is  a  freelancer  writer  based 
outside  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 
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[  debriefing] 

Fun  With  Google 


Search  Party 

In  an  ordinary  Google  search,  approximate  number  of 
organic  results  for  “security”:  1,020,000,000 

Approximate  number  of  organic  results  for  “information  security”:  28,200,000 

For  “physical  security”:  2,070,000 

Approximate  number  of  organic  results  for  “security  convergence”:  36,900 

Approximate  number  of  organic  results  for  pages 
containing  “security”  and  “Schneier”  300,000 

For  pages  containing  “information  security”  and  “geeks”:  144,000 

Approximate  number  for  pages  containing  “physical  security”  and  “ex-cops”:  115 

Of  the  “10  physical  security  measures  every  organization  should  take”  found 
in  a  blog  entry,  percentage  that  were  for  securing  technology:  100 

Percentage  that  were  measures  other  than  locks  or  technology:  o 

Ratio  of  search  results  for  “fishing”  to  results  for  “phishing”:  8  to  1 

Ratio  of  results  for  “super  Tuesday”  to  “patch  Tuesday”:  9  to  l 

Percent  of  the  top  100  results  for  “spam”  related  to  unsolicited  e-mail:  87 

Percent  related  to  the  Hormel  meat  product:  8 

Percent  related  to  a  famous  Monty  Python  skit  involving  Spam:  4 

Percent  related  to  the  State  Police  Association  of  Massachusetts:  l 

The  first  hit  from  an  image  search  on  “physical  security”:  A  military  police  “Tower  Rat” 

The  first  hit  from  an  image  search  on  “information  security”:  A  Dilbert-like  cartoon 

Approximate  number  of  words  on  Google’s  page  that 
offers  a  “definition”  of  “security”:  9,000 

Percentage  of  those  words  related  to  concept  of  “freedom  from  risk”:  Less  than  1 

Percentage  of  words  on  that  definition  page  related  to  the 
financial  definition  of  “security”:  Greater  than  99 

First  organic  search  result  for  “security”:  “Microsoft  Security” 

939th  and  final  result  shown  in  the  organic  search  results: 

“Security  Camera  Catches  Rooftop  [Sex]” 

Searches  performed  in  early  May  2008  on  google.com  and  affiliated  sites/. 
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Above:  top  image  result  for  the  phrase  “Search  Party"  on  google.com  as  of  press  time 
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(/)  https://www.overstock.com/checkout 


Identified  by  VeriSign 


Get  visible  site  security  from  the  company  your  customers  trust. 


The  latest  and  greatest  in 

online  security. 

Also  the  greenest. 

f 


It’s  simple:  a  green  bar  means  your  site  is  secure.  For  your  customers,  this  means  they  can 
trust  their  Web  experience.  It’s  all  done  through  VeriSign"'  Extended  Validation  (EV)  SSL 
Certificates,  which  verify  and  visually  represent  the  authenticity  and  security  of  Web  sites. 
This  protects  you  and  online  customers.  Combine  visitor  confidence  with  the  strongest 
encryption  available  to  each  site  visitor  to  maximize  your  site's  overall  security  profile. 


Get  your  free  white  paper,  The  Latest  Advancements  in  SSL  Technology, 
at  www.verisign.com/cso  or  call  1-866-893-6565  or  1-650-426-5115. 


<■  2008  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo.  VeriSign  Secured  logo,  and  other  trademarks,  service  marks,  and  designs  are 
registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners. 


Get  secure. 

Get  compliant. 

Then  buckle  up  and  get  ready  for  some 


YCAETGIAM 


(Get  Your  Company  Agile  Enough  To  Grow  In  A  Moment's  Notice) 
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Once  your  IT  security  is  doing  everything  you  expect  it  to,  have  it  do  something  no  one  would  ever  expect:  Make  your 
company  more  efficient,  more  flexible  and  more  competitive  than  ever  before.  CA's  approach  to  IT  security  centralizes 
Identity  and  Access  Management  (1AM).  That  means  you  can  deploy  applications  faster  and  more  securely  to  capitalize  on 
market  opportunities.  And  with  best-in-class  modularity,  scalability  and  integration,  CA  security  solutions  enable  growth. 
To  learn  more  about  the  full  potential  of  IT  security,  download  the  ebook  at  ca.com/secure. 
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